MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99481f540a11c13b1e960815d8a0e7d26cac8953c98e4f2d3b76e0acb61c6fe0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99481f540a11c13b1e960815d8a0e7d26cac8953c98e4f2d3b76e0acb61c6fe0
SHA3-384 hash: 388addfab7a5b40f74bbb860e456c10bb7b024d42265f76352814aa910ec00c557eb92f805a3dd5ff23cbc9e9ff66731
SHA1 hash: 2219a5f7cbfb0521d429faf77eabdeb58a26d041
MD5 hash: aa1fafc03b0578979f5f0660e8266cab
humanhash: lithium-table-enemy-ceiling
File name:MicrosoftOfficeCrack.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:2'441'232 bytes
First seen:2023-02-01 06:49:33 UTC
Last seen:2023-02-01 08:34:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a3017ccb2c25f455f959277b4c3674df (2 x RedLineStealer, 2 x Vidar, 1 x Blackcocaine)
ssdeep 24576:JP2Nr/ox3EmOgBRWoIy1MIWHOq8aDCc5Orzb06Y51fdJFP9XJ2VyGbYJc6IU2rew:JP2NDox3nLMIOOq8aOR
Threatray 1'919 similar samples on MalwareBazaar
TLSH T1AAB508B02B4B19DFD7560ABCD4874F52DF142274D3245980CCE5783AEAE7E273D8A928
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.4% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
MicrosoftOfficeCrack.exe
Verdict:
Malicious activity
Analysis date:
2023-02-01 06:52:22 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/9fd27d5c-d0fe-4d5c-bd9a-1977c0d51150

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358878/
Detection(s):
SecuriteInfo.com.Variant.Jaik.115913.29338.4856.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63da0b9d2d4f6d560e23e8b7/reports/0bf3f936-e1a9-4841-b835-d70f0453eb7f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b74a1f74-88f9-4fd2-ab55-967c9d08f2e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99481f540a11c13b1e960815d8a0e7d26cac8953c98e4f2d3b76e0acb61c6fe0/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-01 06:50:10 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfeb6vakchatwhuwbak5rihh2jwkzcktzghe6lj3o3qkznq4n7qa._file
Verdict:
malicious
Similar samples:
08f22af3870c81cf0f903d784abecd650003adfff360ff0529540091f277d057
Vidar
28481cfb09fe12acea1347b45a6f5e71f9442ef13a5c4e77ab226a4eb135db5b
Vidar
6511d09ada2bc11a95c06bd20abb66f450b9b2a6ed1f00c723401884ce7a2e61
Vidar
8eb995eea0b0973e28f2e922b33bcdec5b42cac58dabd420e248b657a6813266
Vidar
ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
Vidar
e8ce6cee6554f2699605da7a59abe4ff81d96c5f2e4066e2314ddac92363fdd3
Vidar
+ 1'909 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:408 evasion spyware stealer trojan
Link:
https://tria.ge/reports/230201-hlx5gscc37/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Malware Config
C2 Extraction:
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
Unpacked files
SH256 hash:
0a7b3747c7c99fd3d46b0c91c49d5ef827644c5909b137daf76ff86e02010d24
MD5 hash:
2572de839e444822261df9a551508495
SHA1 hash:
2b455cbb946831bcd1241ad11adbf2e67a83fc0f
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/7801dbc5-b26a-449d-bbae-42c4f48ae92b/
SH256 hash:
99481f540a11c13b1e960815d8a0e7d26cac8953c98e4f2d3b76e0acb61c6fe0
MD5 hash:
aa1fafc03b0578979f5f0660e8266cab
SHA1 hash:
2219a5f7cbfb0521d429faf77eabdeb58a26d041
Link:
https://www.unpac.me/results/7801dbc5-b26a-449d-bbae-42c4f48ae92b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99481f540a11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99481f540a11c13b1e960815d8a0e7d26cac8953c98e4f2d3b76e0acb61c6fe0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/358878/

Comments