MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
SHA3-384 hash: 86ef0e802906d2ca5e3d457fc1ddac9756f6eefe88bfc4dbf037f507444be3ed04a03ac909bbf7877248e0853ab7c303
SHA1 hash: 8efec66e57e052d6392c5cbb7667d1b49e88116e
MD5 hash: bea49eab907af8ad2cbea9bfb807aae2
humanhash: spring-robert-batman-montana
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:356'864 bytes
First seen:2024-07-26 09:24:15 UTC
Last seen:2025-03-05 08:30:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6170db845a7347035e264cc3f102fc84 (1 x Vidar)
ssdeep 3072:oh2eRgJtqxVRGKf8OGiLOnXChCrmqSOLMKTJGlRayuEpZTPckmRmVfL:URRgJtqpGO8OUnrpbMKT0lXZT3p
TLSH T19B74BF50F16BD839F5A2493C4C34C6E1212A7C53D969D54BF69C3FAF3DF22406AA9322
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 1a72c2da98585c0c (16 x Stealc, 3 x Smoke Loader, 2 x Vidar)
Reporter Bitsight
Tags:185-215-113-209 exe vidar


Avatar
Bitsight
url: http://185.215.113.16/inc/build_2024-07-25_20-56.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
396
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
http://185.215.113.19/inc/build_2024-07-25_20-56.exe
Verdict:
Malicious activity
Analysis date:
2024-07-26 22:20:44 UTC
Tags:
vidar
Link:
https://app.any.run/tasks/20794eec-12b7-4ffa-9fab-c08e323372ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a36b5781e42e2b16c7b3b0
Tags:
Infostealer
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Sending an HTTP POST request
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc microsoft_visual_cc
Link:
https://www.filescan.io/uploads/66a36b764c5c17942a7e494b/reports/2a36d78a-da34-4450-bef8-ad8772ef64ee/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42ad55cb-3657-405e-ad7a-fd2db76e218a
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1482922
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Searches for specific processes (likely to inject)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious Program Location with Network Connections
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482922 Sample: file.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 84 steamcommunity.com 2->84 86 arpdabl.zapto.org 2->86 102 Multi AV Scanner detection for domain / URL 2->102 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 13 other signatures 2->108 9 file.exe 1 38 2->9         started        14 main.exe 2->14         started        16 BFCAAEHJDB.exe 1 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 88 steamcommunity.com 23.192.247.89, 443, 49713 AKAMAI-ASUS United States 9->88 90 5.75.212.60, 443, 49714, 49716 HETZNER-ASDE Germany 9->90 98 2 other IPs or domains 9->98 66 C:\Users\user\AppData\...\7847438767[1].exe, PE32+ 9->66 dropped 68 C:\ProgramData\vcruntime140.dll, PE32 9->68 dropped 70 C:\ProgramData\softokn3.dll, PE32 9->70 dropped 80 5 other files (4 malicious) 9->80 dropped 118 Detected unpacking (changes PE section rights) 9->118 120 Detected unpacking (overwrites its own PE header) 9->120 122 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->122 128 7 other signatures 9->128 20 BFCAAEHJDB.exe 9->20         started        23 WerFault.exe 22 16 9->23         started        26 cmd.exe 1 9->26         started        92 68.148.96.106 SHAWCA Canada 14->92 94 91.224.234.189 PARKTELECOM-ASRU Russian Federation 14->94 100 28 other IPs or domains 14->100 72 C:\Windows\Temp\h0yu5TYE, PE32+ 14->72 dropped 74 C:\Windows\Temp\g29qQU9G, PE32+ 14->74 dropped 76 C:\Windows\Temp\fJw4qvYl, PE32+ 14->76 dropped 82 15 other files (13 malicious) 14->82 dropped 124 Contains functionality to hide user accounts 14->124 126 Found Tor onion address 14->126 28 WerFault.exe 14->28         started        96 91.92.250.213 THEZONEBG Bulgaria 16->96 78 C:\Users\user\...\euasv89vr56qz5toefmgc1.exe, PE32+ 16->78 dropped 30 euasv89vr56qz5toefmgc1.exe 10 16->30         started        32 WerFault.exe 2 18->32         started        34 WerFault.exe 18->34         started        file6 signatures7 process8 file9 110 Detected unpacking (creates a PE file in dynamic memory) 20->110 60 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->60 dropped 36 conhost.exe 26->36         started        38 timeout.exe 1 26->38         started        62 C:\ProgramData\Microsoft\...\Report.wer, Unicode 28->62 dropped 64 C:\Users\Public\...\main.exe, PE32+ 30->64 dropped 112 Contains functionality to hide user accounts 30->112 114 Machine Learning detection for dropped file 30->114 116 Found Tor onion address 30->116 40 sc.exe 1 30->40         started        42 sc.exe 1 30->42         started        44 sc.exe 1 30->44         started        46 3 other processes 30->46 signatures10 process11 process12 48 conhost.exe 40->48         started        50 conhost.exe 42->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        56 conhost.exe 46->56         started        58 conhost.exe 46->58         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-07-26 09:25:09 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnsf6vybc3j6cd5kgfuydzh43zx6kvax73hngoc47o4blr67q4dq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar credential_access discovery evasion execution persistence spyware stealer
Link:
https://tria.ge/reports/240726-ldl9ssygnl/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
cURL User-Agent
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Launches sc.exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Credentials from Password Stores: Credentials from Web Browsers
Detect Vidar Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b56480e4-c422-41c7-a86b-e41784e589ef
Unpacked files
SH256 hash:
beb13c6ae121f068f771b4f1901f2c9067f61ca71d7029bb25dc7257e9b0934d
MD5 hash:
36284314cadc9adfaf199c0db5d5f31c
SHA1 hash:
e07cf67488dd9189be17aa297fc3a50027754576
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/48558739-c594-464f-b3b1-f2d844ea7e47/
Parent samples :
9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
217900ee9e96bcb152005818da2e5382cac579ab6edd540d05f2cdb8c8f4ce8b
bb38168a3222858c6b499dfceec3e3dc9055777b91869dbece107c241d97c436
SH256 hash:
0ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d
MD5 hash:
2890a00ef6943ed98e2b7c6e3e49ae1c
SHA1 hash:
9072a751e68fe39222aebc87ffb898a423310ce9
Link:
https://www.unpac.me/results/48558739-c594-464f-b3b1-f2d844ea7e47/
SH256 hash:
9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
MD5 hash:
bea49eab907af8ad2cbea9bfb807aae2
SHA1 hash:
8efec66e57e052d6392c5cbb7667d1b49e88116e
Link:
https://www.unpac.me/results/48558739-c594-464f-b3b1-f2d844ea7e47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3068350/
  
URLhaus
https://urlhaus.abuse.ch/url/3068552/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindFirstVolumeMountPointW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetDiskFreeSpaceExW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleInputW
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::PeekConsoleInputW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateHardLinkA
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::GetSystemDirectoryW
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpOpen

Comments