MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3
SHA3-384 hash:	b7a886e27b1eaa5649e3afa239daab60c62d22f30eab98a0f529c768abb1b764f057ea52ad2bd333cc82129de3ecf40e
SHA1 hash:	aabbaf0480fc40e9a9d551691ac4fd99b85ed1d9
MD5 hash:	f3eef206fee6c21a6201b219cf144e18
humanhash:	chicken-music-yellow-west
File name:	file
Download:	download sample
Signature	Vidar Alert Create hunting rule
File size:	482'304 bytes
First seen:	2023-04-14 14:56:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b481c7cafc5eab37fd735bc92d1b395c (4 x Smoke Loader, 3 x RedLineStealer, 1 x RecordBreaker)
ssdeep	12288:mV18Hl+SF6b7EHIzOac14suD9U1j00puetC6tib:m/8F47Eoy0ZsjFuc
Threatray	579 similar samples on MalwareBazaar
TLSH	T191A4AF2272DC9870E1535A768E5EC6F82D6EF8635F557ADB2354BA3F0A301E2D272304
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	2223032b11130309 (1 x Vidar)
Reporter	jstrosch
Tags:	exe vidar

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

300

Origin country :

US

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-04-14 14:56:38 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/3c7ddfa6-ecde-48c8-a3b6-00c443c296ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/382294/

ClamAV Detected

Detection(s):

Sanesecurity.Malware.29209.BadIN.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/79639/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

exploit greyware packed

Link:

https://www.filescan.io/uploads/643969c159a1287810bc263a/reports/fef6641f-7201-49e9-8a43-bb626b202afa/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/38149d92-d940-4fed-a4ee-bb586bf1eb0f

Joe Sandbox Vidar

Result

Threat name:

Vidar

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1213996

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3/

ReversingLabs TitaniumCloud Win32.Trojan.RedLine

Threat name:

Win32.Trojan.RedLine

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-04-14 14:57:09 UTC

File Type:

PE (Exe)

Extracted files:

56

AV detection:

21 of 24 (87.50%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tglm6wk3cukokozbvqqsykxw6hpnoseklomwhfyrxjafrmpv43rq._file

Threatray malicious

Verdict:

malicious

Similar samples:

0737c068f2012af8cdb27ec08664ba0aca11c0dced3702efb7359d59e2186338

Vidar

1aabaf257833b939257609dea10af40fb814682dd8de52918145f3bc40441625

Vidar

214e9703ba46ea2ec8a747913145d48a8be812ab4beaf8f055e889c204955174

Vidar

271b5a55ffe8fa4b7886abbd3c5cf68614267f8bdc2f6f78fac2f5400e95aa35

Vidar

4598f17c42e3fa2259e57d1e4732ad6847a6b3469114a1d37112a8fca6ba748b

Vidar

558da56234404dd337be2a22e2493aa6c140b7688e58a17236dc95da0e5162eb

Vidar

6c26e5a25958830af43246a52754d4f6686b44cf7c96facce8be29c496561c29

Vidar

b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0

Vidar

c73c5027ec11576250105ea0664c33a51f3a19901c6bcbfd84d88c94f3482435

Vidar

e814d34a0eb17347413d34653b7fca514c931eb1a5317012fe44d54c09617fd4

Vidar

+ 569 additional samples on MalwareBazaar

Hatching Triage vidar

Result

Malware family:

vidar

Alert

Create hunting rule

Score:

  10/10

Tags:

family:vidar botnet:e749025c61b2caca10aa829a9e1a65a1 discovery spyware stealer

Link:

https://tria.ge/reports/230414-sbk3aabh2s/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Program crash

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Loads dropped DLL

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs

UnpacMe VidarStealer

Unpacked files

SH256 hash:

17466c56f4272bbd5c90415568b1e0adce18151792bbd7de8ccb075c3fb536e6

MD5 hash:

fb5511afb0219a90b77517ed1511fb60

SHA1 hash:

7790a2144a000e876c7cff37639a09547e46ac74

Detections:

VidarStealer

Alert

Create hunting rule

Link:

https://www.unpac.me/results/1c09d0bf-15a6-4041-a0ac-96e0aae75d91/

Parent samples :

05bf271392855e4962f4d736eb701e764ad972451205c8be5364f1bd9f824197
1c4fff759380974bfefb163c13bd2c7c68e96076fe1e703c9e6ee167ea74297b
271b5a55ffe8fa4b7886abbd3c5cf68614267f8bdc2f6f78fac2f5400e95aa35
e814d34a0eb17347413d34653b7fca514c931eb1a5317012fe44d54c09617fd4
214e9703ba46ea2ec8a747913145d48a8be812ab4beaf8f055e889c204955174
5ac8bd1c622637a972de501a4737ee63968ee25b3211ed8ec512775e416518e5
4598f17c42e3fa2259e57d1e4732ad6847a6b3469114a1d37112a8fca6ba748b
d22d3e19a68d8c6efe71df22e21bb6be33925cdc30213f7b82bb38d7ccb65096
9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3
f9803322b5a1423f9d3ec2381ceccd1911ff49dba85c0cb25437d653c5658d44
9d32dcd66ddeff3c376b08f6c76d28a3b577eebc2f0d8b9ba1781109ec3d6c62
fc258ff7ef8632a4cc29132b406ea66c43c0dc7fbf9f7ce9b0ab016b8fd0da3a
2050a2f16f735a22589fa28453489733dfa907f5f9b05ce0510b89bcafae0ba4
076765520388312f563d23a0bf30f6069b6d6745faf1d1cf2bf1be5e45866c7e
ffcd81554dfa79fc164a1442d47b404c44e9221376c1632b5ffc6a9b2efeff72
3235d6bdcf964ed58a67049341a5aefda696011a8bc8f29304c8592f68678191
585ecea5cbd604932ea18eb6e089c11bf542b6bdcbc1183d134b7937c3908063
17c93fb176f59f4887e4a957b6af15270964abf3651540bdca34b0cf91c47428
76a4ed024ae4064f850fb46eee2f83e8edd8da2dc0aa45ee023b13e43d12d5be
2f14512e1f5a853252238c152e22e33bc1e14a37e27f015813d3661175294b32
0d4ca324e676d8cd384902068b4caf199e1803fc82fdf3d7ee0fa7a902dcf4f1
8e2c24992e272ae9bd921ce4a96c3c42c8c80b69c615a4570efc06f52f151855

SH256 hash:

9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3

MD5 hash:

f3eef206fee6c21a6201b219cf144e18

SHA1 hash:

aabbaf0480fc40e9a9d551691ac4fd99b85ed1d9

Link:

https://www.unpac.me/results/1c09d0bf-15a6-4041-a0ac-96e0aae75d91/

VMRay Vidar.A

Malware family:

Vidar.A

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9996cf595b15/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe 9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/382294/