MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453
SHA3-384 hash: ef8bd686f7114e5865214b0e6ffccd1c75d0bdd7e2ce4f42c1e40a148cf41df9b1e1caab9818f0522fc17d0a6dd59218
SHA1 hash: 7856a03a1ae75e5d88a1a14a78d6215e3fff3cd8
MD5 hash: b64e13823f736dcc033a4407703ff1ec
humanhash: happy-sierra-mississippi-burger
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:1'706'904 bytes
First seen:2023-02-14 17:39:05 UTC
Last seen:2023-02-17 18:42:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c434c6d43b9dd2659df575eadd46929d (1 x Vidar)
ssdeep 49152:GuqT+pDmTKMaEqL4T4pv3Sfb9kPGFOQK0R:GuqT+UTsEqLWcvq9SGFOQKM
Threatray 1'495 similar samples on MalwareBazaar
TLSH T1EE857D25CA1F8DB7FB2F6F32924C2D1114B2BDBC1F568916965490192DE20EE863FD83
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e49a99d9d2f4fdcb (1 x Vidar)
Reporter andretavare5
Tags:exe signed vidar

Code Signing Certificate

Organisation:bullet.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-03T23:18:54Z
Valid to:2023-04-03T23:18:53Z
Serial number: 0484094f86fc198357c6a76c877e8f6324ad
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8cea24f5f70ec422f62dd1e0e36a65e8dee7d84c5ceebfe53ef8788e50f9c429
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc139074685_656115141?hash=FwI1sLCMc1oTl4MoHCNZpO3l5ofMkrrOigZlq1YAKnL&dl=GEZTSMBXGQ3DQNI:1676391460:itFesRMrDu3Sq7at7XWqBn3p5o27uPXUVQlC3eSZq4P&api=1&no_preview=1#dx10

Intelligence

File Origin
# of uploads :
1'106
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-02-14 17:41:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6bef0df7-0f96-4841-9f42-d8ec15177c65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/365921/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Launching a process
Сreating synchronization primitives
Creating a file in the %temp% directory
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/69756/overview
Behaviour
MalwareBazaar
MeasuringTime
CallSleep
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63ebc7764c5f96ec064d82fd/reports/1a04ca75-a9f7-43fc-b083-76e6f58ae127/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a6e9a89-4110-4105-9ea2-588d0edc69ac
Result
Threat name:
RHADAMANTHYS, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1174686
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 807487 Sample: file.exe Startdate: 14/02/2023 Architecture: WINDOWS Score: 100 30 Antivirus detection for URL or domain 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected RHADAMANTHYS Stealer 2->34 36 6 other signatures 2->36 7 file.exe 7 2->7         started        process3 dnsIp4 22 sugfwwiv77424s7azl4p.5orafezmh434gnkyqve 7->22 20 C:\Users\user\AppData\Local\...\3953968.dll, PE32 7->20 dropped 38 Writes to foreign memory regions 7->38 40 Allocates memory in foreign processes 7->40 42 Injects a PE file into a foreign processes 7->42 12 fontview.exe 7->12         started        15 ngentask.exe 18 7->15         started        file5 signatures6 process7 dnsIp8 44 Query firmware table information (likely to detect VMs) 12->44 46 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->48 56 4 other signatures 12->56 24 t.me 149.154.167.99, 443, 49717 TELEGRAMRU United Kingdom 15->24 26 116.202.30.165, 49718, 80 HETZNER-ASDE Germany 15->26 28 192.168.2.1 unknown unknown 15->28 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->50 52 Tries to steal Mail credentials (via file / registry access) 15->52 54 Tries to harvest and steal browser information (history, passwords, etc) 15->54 58 2 other signatures 15->58 18 WerFault.exe 23 9 15->18         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 17:24:48 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t4pkm65ffanjefbklwxvb6mqgd5ho6h75lzkgpaqtjf4sxnowrjq._file
Verdict:
malicious
Similar samples:
12b053ff554ab6a4db909b0ee33f419b09f1f0f8a6612ae9773db3451e6d166a
Vidar
44f6100a2d95f01fb7e692367928f9df629c556680bc74fe45011482184c8b61
Vidar
6f8c5269ce2ba1e2baa595221a138240040aadf80c8819380563a72a3b7e024b
Vidar
7e349767b32221f32490d0c7270670a35d9c316936fb45bb9a5c900dba521cda
Vidar
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d
Vidar
a97e9b6b2d782625ccd00a2177e55c75f6e6dc87d9a33655e521ded0369b5306
Vidar
ad4e377633b5f0a87ad2a4a6b741615016de79605225737fc4ba5c70308c5e68
Vidar
bf566a0e924a5567391242c61c0070a09ee3bca04a02e4f0170040b90e5b73e5
Vidar
d254183803aaa2a5ab7118f423809013bf0e5fc1766bb37beaea2ce1e0acfa61
Vidar
e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611
Vidar
+ 1'485 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys family:vidar botnet:695 spyware stealer
Link:
https://tria.ge/reports/230214-v8wldsed5s/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Unpacked files
SH256 hash:
1f3e91df52a2fd1da4015211eef624034fcd63ae1f5f02381ba68dd7655fcf0a
MD5 hash:
bbbaf49135445f9ed342e1a3c8c551f4
SHA1 hash:
455a99183cf98bf6d7d7ae1d91dd2a543f929bbc
Link:
https://www.unpac.me/results/d68d83a0-aae4-4cb1-ae2e-15305dd9d450/
SH256 hash:
9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453
MD5 hash:
b64e13823f736dcc033a4407703ff1ec
SHA1 hash:
7856a03a1ae75e5d88a1a14a78d6215e3fff3cd8
Link:
https://www.unpac.me/results/d68d83a0-aae4-4cb1-ae2e-15305dd9d450/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f1ea67ba528/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/365921/

Comments