MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 916eee1fff3ef0a6927be3c4f6f8cd5b6a7f59d024ae681606bf4659b98e809f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 916eee1fff3ef0a6927be3c4f6f8cd5b6a7f59d024ae681606bf4659b98e809f
SHA3-384 hash: db61bed4e65248504dac2cf8ec65dae74357f7a0bb17ad1c6cc8a330920fccc9c4846c3640e7468db283738f8379924f
SHA1 hash: 8a0b8c4021cdfc37bc3514c14374ca3d8251e2f8
MD5 hash: ceac8d319a011ba082cf1ab197d328e9
humanhash: network-green-item-missouri
File name:ceac8d319a011ba082cf1ab197d328e9
Download: download sample
Signature Vidar
Create hunting rule
File size:563'200 bytes
First seen:2023-11-06 21:25:17 UTC
Last seen:2023-11-06 23:16:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:9t2srLN4gZpSEgHXvr83c6FdjdbqA8XmIM0qeKm7PH:9tZrLNrZpS3v+djdbAXVjKg/
TLSH T14FC41241D2FA5B6DE4F786790C5073E13632A9432413DB62DDC4E91A38BC6FE4EC1AA4
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
391
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installers.zip
Verdict:
Malicious activity
Analysis date:
2023-11-07 17:14:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/70ed8d21-ad34-4a11-82f1-13ddae41d553

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.9295.19082.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% directory
Searching for synchronization primitives
Modifying a system file
Searching for the window
Replacing files
Using the Windows Management Instrumentation requests
Launching the process to interact with network services
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/654959eb946b6ab2245980c9/reports/9329f907-b14c-4a23-94cb-c10d215c9d01/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/916eee1fff3ef0a6927be3c4f6f8cd5b6a7f59d024ae681606bf4659b98e809f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e88c7e32-be21-4686-8b23-fb40f0f0dd55
Result
Threat name:
PrivateLoader, RedLine, SmokeLoader, Vid
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337937
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected onlyLogger
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1337937 Sample: Yr7pYbz4E7.exe Startdate: 06/11/2023 Architecture: WINDOWS Score: 100 169 Found malware configuration 2->169 171 Malicious sample detected (through community Yara rule) 2->171 173 Antivirus detection for URL or domain 2->173 175 21 other signatures 2->175 11 Yr7pYbz4E7.exe 2 4 2->11         started        14 svchost.exe 1 1 2->14         started        17 svchost.exe 2->17         started        19 2 other processes 2->19 process3 dnsIp4 183 Adds a directory exclusion to Windows Defender 11->183 185 Disables UAC (registry) 11->185 21 CasPol.exe 15 215 11->21         started        26 powershell.exe 21 11->26         started        159 23.60.72.63 AKAMAI-ASUS United States 14->159 161 127.0.0.1 unknown unknown 14->161 signatures5 process6 dnsIp7 131 95.214.26.28 CMCSUS Germany 21->131 133 85.209.11.204 SYNGB Russian Federation 21->133 135 17 other IPs or domains 21->135 81 C:\Users\...\zkMrfGREYIj27fSxhNlKXXqJ.exe, PE32 21->81 dropped 83 C:\Users\...\xv0cI2stGiFE4rRmYVjXfZwQ.exe, PE32 21->83 dropped 85 C:\Users\...\xG9BvIsIzcaA1rsJeBgEqUXk.exe, PE32 21->85 dropped 87 163 other malicious files 21->87 dropped 177 Drops script or batch files to the startup folder 21->177 179 Creates HTML files with .exe extension (expired dropper behavior) 21->179 181 Writes many files with high entropy 21->181 28 Oe5f4m2VzQAmD7kec4qrXPF2.exe 21->28         started        33 xv0cI2stGiFE4rRmYVjXfZwQ.exe 21->33         started        35 ec1f3g6GvBF1NJGGVGxQmhnF.exe 21->35         started        39 10 other processes 21->39 37 conhost.exe 26->37         started        file8 signatures9 process10 dnsIp11 141 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 28->141 143 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 28->143 149 16 other IPs or domains 28->149 113 C:\Users\...\y3UBDt64N0StoHDzhlx5T86G.exe, PE32+ 28->113 dropped 115 C:\Users\...\tw4PQGPxdbOXrdcf2bzQuf19.exe, PE32 28->115 dropped 127 26 other malicious files 28->127 dropped 187 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->187 189 Creates HTML files with .exe extension (expired dropper behavior) 28->189 191 Disables Windows Defender (deletes autostart) 28->191 199 2 other signatures 28->199 117 C:\Users\user\AppData\Local\...\is-1QU0D.tmp, PE32 33->117 dropped 41 is-1QU0D.tmp 33->41         started        119 C:\Users\user\AppData\Local\...\is-3PFHR.tmp, PE32 35->119 dropped 44 is-3PFHR.tmp 35->44         started        145 5.182.38.138 VMAGE-ASRU Russian Federation 39->145 147 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 39->147 151 14 other IPs or domains 39->151 121 C:\Users\...\vDaKP5COInOqbz_HiB4iTqPP.exe, PE32 39->121 dropped 123 C:\Users\...\ufQkaVpBYWInFzrUQcmGJxfh.exe, PE32 39->123 dropped 125 C:\Users\...\uY9Loz3nuReCLXUoHFtYuFGq.exe, PE32 39->125 dropped 129 32 other files (30 malicious) 39->129 dropped 193 Detected unpacking (changes PE section rights) 39->193 195 Detected unpacking (overwrites its own PE header) 39->195 197 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->197 201 7 other signatures 39->201 46 AHqOpbqJi1dNzpRalGkLas9l.exe 39->46         started        49 WYgwUUgbEWYLWZKgfoVEwYZ0.exe 39->49         started        51 Broom.exe 39->51         started        53 6 other processes 39->53 file12 signatures13 process14 dnsIp15 95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->95 dropped 97 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 41->97 dropped 109 28 other files (27 malicious) 41->109 dropped 56 IsoBuster_1121.exe 41->56         started        59 net.exe 41->59         started        61 IsoBuster_1121.exe 41->61         started        99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->99 dropped 101 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 44->101 dropped 111 26 other files (25 malicious) 44->111 dropped 203 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 46->203 205 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->205 207 Maps a DLL or memory area into another process 46->207 211 2 other signatures 46->211 64 explorer.exe 46->64 injected 103 Opera_installer_2311062127104317652.dll, PE32 49->103 dropped 67 WYgwUUgbEWYLWZKgfoVEwYZ0.exe 49->67         started        209 Multi AV Scanner detection for dropped file 51->209 137 142.250.217.97 GOOGLEUS United States 53->137 139 142.251.33.110 GOOGLEUS United States 53->139 105 Opera_installer_2311062127074087308.dll, PE32 53->105 dropped 107 Opera_installer_2311062127066786120.dll, PE32 53->107 dropped file16 signatures17 process18 dnsIp19 89 C:\ProgramData\Audio Tuner\Audio Tuner.exe, PE32 56->89 dropped 69 conhost.exe 59->69         started        71 net1.exe 59->71         started        153 217.23.6.51 WORLDSTREAMNL Netherlands 61->153 155 217.23.9.168 WORLDSTREAMNL Netherlands 61->155 157 3 other IPs or domains 61->157 91 C:\Users\user\AppData\Roaming\wigidth, PE32 64->91 dropped 163 System process connects to network (likely due to code injection or exploit) 64->163 165 Benign windows process drops PE files 64->165 167 Hides that the sample has been downloaded from the Internet (zone.identifier) 64->167 73 cmd.exe 64->73         started        75 cmd.exe 64->75         started        93 Opera_installer_2311062127113357848.dll, PE32 67->93 dropped file20 signatures21 process22 process23 77 conhost.exe 73->77         started        79 conhost.exe 75->79         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/916eee1fff3ef0a6927be3c4f6f8cd5b6a7f59d024ae681606bf4659b98e809f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/916eee1fff3ef0a6927be3c4f6f8cd5b6a7f59d024ae681606bf4659b98e809f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-06 21:26:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
8 of 38 (21.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfxo4h77h3yknet34pcpn6gnlnvh6woqesxgqfqgx5dftomoqcpq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:smokeloader family:vidar botnet:9ea41fac0af12ade12ae478b6c25112b botnet:pub1 backdoor discovery evasion loader spyware stealer trojan upx
Link:
https://tria.ge/reports/231106-z96j7sfd3x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Downloads MZ/PE file
PrivateLoader
SmokeLoader
UAC bypass
Vidar
Windows security bypass
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199566884947
https://t.me/octobrains
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
9f0595233b5eacb68d34b3ea528a37036f384df9d6cf0fe0989c0f1781c5a7a2
MD5 hash:
b07f4d6cc6c892c968f1bfb2b5138d69
SHA1 hash:
7adf3a0e4a12a63fa1e88e0f6b17ea684e04808a
Link:
https://www.unpac.me/results/b4f84901-7362-403d-afe2-097ebdda9c61/
SH256 hash:
916eee1fff3ef0a6927be3c4f6f8cd5b6a7f59d024ae681606bf4659b98e809f
MD5 hash:
ceac8d319a011ba082cf1ab197d328e9
SHA1 hash:
8a0b8c4021cdfc37bc3514c14374ca3d8251e2f8
Link:
https://www.unpac.me/results/b4f84901-7362-403d-afe2-097ebdda9c61/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/916eee1fff3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/916eee1fff3ef0a6927be3c4f6f8cd5b6a7f59d024ae681606bf4659b98e809f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 916eee1fff3ef0a6927be3c4f6f8cd5b6a7f59d024ae681606bf4659b98e809f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2728668/

Comments


Avatar
zbet commented on 2023-11-06 21:25:18 UTC

url : hxxp://194.49.94.67/files/123.exe