MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747
SHA3-384 hash:	983eab38e4e54edaf521b7cd170b5ac292d1abcc6b8218d249db2079c323f2fcbb2ccf20a0314244d5a7070f477ea485
SHA1 hash:	66ce96dbdd0b5af512ae91c01e2da329a98217e1
MD5 hash:	9c8d15878dec001b1e1154164fc4645d
humanhash:	double-butter-yellow-glucose
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	289'832 bytes
First seen:	2024-09-17 05:01:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:W4jOlcZQk/PctmdAH4z+/FiU8ybfJ4r7la/onAUfwA4Xav3VEO:ZpPtqHkGiUl/oNCM3VEO
TLSH	T1D55412E09B346B0CDEDF4BB5A5A19B23C971D6306605F2AE7142DE93F10A3440BE2769
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	exe vidar

Bitsight

url: https://ipsolutions.com.ar/vaskfs16.exe

Intelligence

File Origin

# of uploads :

# of downloads :

463

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747.exe

Verdict:

Malicious activity

Analysis date:

2024-09-17 10:26:27 UTC

Tags:

vidar

Link:

https://app.any.run/tasks/0d094dc4-e916-405c-9d3b-4c974e8e6862

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Stealerc-10034588-0

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66e90d4f71e91b3281ba1a76

Tags:

Encryption Static

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/66e90d4d5e9303a294223878/reports/d7520612-aa56-4009-9523-a0135c457db7/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/7627e39b-06d7-4e76-bf43-adbe1ea3e8b6

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1512296

Signature

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

78%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747/

Threat name:

Win32.Trojan.StealC

Status:

Malicious

First seen:

2024-09-17 05:02:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s5ka6mki3xfznrt2lstk3dphtqvetyilvze4mvivvmnxhbmhy5dq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/240917-fn4zpswdkl/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a9e13448-1359-45f7-8bb1-9b4fb52b436c

Unpacked files

SH256 hash:

365699cc499201b366ecd5fbfa46985df4e9f858e3e6c310f8b9b0f1c3230bd0

MD5 hash:

8e7111d7c38c26cbb64907bdea14cdcb

SHA1 hash:

8e78ef013bc6b81caf6aace8cb92bd724e6f295c

Detections:

VidarStealer

Link:

https://www.unpac.me/results/8877fb23-0813-442c-8cde-87f2a37a637d/

Parent samples :

5ddb5598f1156d0ea44502cfbe89fdb6805c6b4be08cd33fd1a963b94544918e
97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747
44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147
a6fc0eacb5308bb4e616a6f5caabc12104256d13049ee0744cf53ca7debe6efd
41b381e462f4108957fbab888701dfb9e605621507f8dd2d3f71a32b429c5f0c

SH256 hash:

0ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d

MD5 hash:

2890a00ef6943ed98e2b7c6e3e49ae1c

SHA1 hash:

9072a751e68fe39222aebc87ffb898a423310ce9

Link:

https://www.unpac.me/results/8877fb23-0813-442c-8cde-87f2a37a637d/

SH256 hash:

97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747

MD5 hash:

9c8d15878dec001b1e1154164fc4645d

SHA1 hash:

66ce96dbdd0b5af512ae91c01e2da329a98217e1

Link:

https://www.unpac.me/results/8877fb23-0813-442c-8cde-87f2a37a637d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_APT29_WINELOADER_Backdoor Create hunting rule
Author:	daniyyell
Description:	Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:	https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe 97540f3148ddcb96c67a5ca6ad8de79c2a49e10bae49c65515ab1b738587c747

(this sample)

Dropped by

Privateloader

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3177744/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample