MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0
SHA3-384 hash: e0a8ec07c1b5c7652d4cdfca754561192729a42868cf94f8ed096f4a19562aa654cec38eb46827fe7142116a6f896e5f
SHA1 hash: ddada2f646640b394c04e7166db04200d226281b
MD5 hash: 8e5286e3caa11c78e275892a38f2e772
humanhash: jig-florida-oscar-hot
File name:8e5286e3caa11c78e275892a38f2e772
Download: download sample
Signature Vidar
Create hunting rule
File size:4'929'536 bytes
First seen:2024-07-23 14:45:07 UTC
Last seen:2024-07-26 16:57:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:2t9Kw5Ea4QR/YUxIUnnxIMSsDPUCfCxg+6hUNLindy:mkw6ER/YUZnxIw8ICxvoQcdy
Threatray 22 similar samples on MalwareBazaar
TLSH T13536BF127684DA12C1E91736C9EF442847FDEF463B63DE2A78A9732E39013AA1D4D1CD
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon ccdaa083868726c6 (1 x Vidar)
Reporter zbetcheckin
Tags:32 exe vidar

Intelligence

File Origin
# of uploads :
3
# of downloads :
394
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
http://77.105.132.27/
Verdict:
Malicious activity
Analysis date:
2024-07-23 14:32:42 UTC
Tags:
opendir loader lumma stealer telegram vidar
Link:
https://app.any.run/tasks/9137cf53-6d22-4cb0-8781-a84ac9093b9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Malwarex-10033462-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669fc22aa97e13ad9de78d6f
Tags:
Static Nekark
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Sending an HTTP POST request
Running batch commands
Creating a process with a hidden window
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand lolbin net_reactor obfuscated packed packed vbnet
Link:
https://www.filescan.io/uploads/669fc23a7b9add553eda7ffc/reports/1e31be78-09ca-4c37-baf0-23d752859171/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c056dccc-eeda-4735-ae3c-94d3bfcd54ae
Result
Threat name:
LummaC, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1479475
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479475 Sample: hOYGfIcBVf.exe Startdate: 23/07/2024 Architecture: WINDOWS Score: 100 51 t.me 2->51 53 liernessfornicsa.shop 2->53 55 4 other IPs or domains 2->55 77 Found malware configuration 2->77 79 Antivirus detection for URL or domain 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 13 other signatures 2->83 9 hOYGfIcBVf.exe 3 2->9         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\hOYGfIcBVf.exe.log, ASCII 9->41 dropped 85 Found many strings related to Crypto-Wallets (likely being stolen) 9->85 87 Writes to foreign memory regions 9->87 89 Allocates memory in foreign processes 9->89 91 Injects a PE file into a foreign processes 9->91 13 MSBuild.exe 1 41 9->13         started        signatures6 process7 dnsIp8 59 t.me 149.154.167.99, 443, 49730 TELEGRAMRU United Kingdom 13->59 61 77.105.132.27, 49757, 49759, 80 PLUSTELECOM-ASRU Russian Federation 13->61 63 2 other IPs or domains 13->63 43 C:\Users\user\AppData\Local\...\rinqu[1].exe, PE32 13->43 dropped 45 C:\Users\user\AppData\Local\...\jrn10[1].exe, PE32 13->45 dropped 47 C:\ProgramData\softokn3.dll, PE32 13->47 dropped 49 7 other files (5 malicious) 13->49 dropped 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->101 103 Found many strings related to Crypto-Wallets (likely being stolen) 13->103 105 Contains functionality to inject code into remote processes 13->105 107 4 other signatures 13->107 18 IJECBGIJDG.exe 3 13->18         started        21 JDGCGDBGCA.exe 3 13->21         started        23 cmd.exe 13->23         started        file9 signatures10 process11 signatures12 65 Multi AV Scanner detection for dropped file 18->65 67 Machine Learning detection for dropped file 18->67 69 Writes to foreign memory regions 18->69 75 2 other signatures 18->75 25 MSBuild.exe 18->25         started        29 MSBuild.exe 18->29         started        31 MSBuild.exe 18->31         started        33 MSBuild.exe 18->33         started        71 Allocates memory in foreign processes 21->71 73 Injects a PE file into a foreign processes 21->73 35 MSBuild.exe 16 21->35         started        37 conhost.exe 23->37         started        39 timeout.exe 23->39         started        process13 dnsIp14 57 liernessfornicsa.shop 172.67.213.85 CLOUDFLARENETUS United States 25->57 93 Query firmware table information (likely to detect VMs) 25->93 95 Tries to harvest and steal ftp login credentials 25->95 97 Tries to harvest and steal browser information (history, passwords, etc) 25->97 99 Tries to steal Crypto Currency Wallets 25->99 signatures15
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2024-07-23 14:46:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5qz6mzktzn5osruk54oq2uhd2ppwcd372sdvxt4x6pwhijbkgya._file
Verdict:
malicious
Similar samples:
0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947
Vidar
2ccc095e2b7de720513d290dea7ad6cde991ebd3773f5140489a461873cb2ba6
Vidar
8b020cde39d33b53f4c48a8c7ea30fb1f7854b13562508c0a1665ffd1397f7fc
Vidar
9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0
Vidar
cd866b4aa47daf4efb5f4800b7972404a4dace852d2749ca11cf341ca63a368a
Vidar
+ 12 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:b607a7a47e1a6ff266af835d50c6eaa5 credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240723-r492favhkl/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Detect Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://t.me/s41l0
https://steamcommunity.com/profiles/76561199743486170
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e58c8fbb-0e5a-4e3b-9674-bb66c2dabafd
Unpacked files
SH256 hash:
b6b0ac00e7837aea97c5cf979ef3f7e1e45b03af519bddc51b765f3bffc04386
MD5 hash:
07662e711fc646afddc97922f4315983
SHA1 hash:
fcdbc8567e0c40db52bb722869b2763ebc958efb
Link:
https://www.unpac.me/results/7f6b4587-9809-41df-a4f6-989116664e25/
SH256 hash:
81cadb6a9546328647f2fbd1713fcf8ee49921c6a0c7b155f6d287acddab5fd7
MD5 hash:
eb029ab5c2f8de328736c53dc3c7df47
SHA1 hash:
e05c4fba0236fee2516bf53a287e41e0e97a0ee5
Link:
https://www.unpac.me/results/7f6b4587-9809-41df-a4f6-989116664e25/
Parent samples :
12df075fcaec366639ab37f203aa412540f351ee17e7f126a4a126e7a61c2a9b
b8a5ef9ea9fa588907a197db55c743559460190aa58b227db10d6be75d8bfe39
e603e36cae3f0fa9badbeaeff8fb0becb1ed444776892db76cd8d219e2ba92bd
SH256 hash:
fd9d390b651d3b1078f95fb90c8db50211a0d7fe2e22467991653e324e7b0b2a
MD5 hash:
cc48b1b6aeb0f1edd889574a9dc5dd6a
SHA1 hash:
a82f60d2b5171e81d33fa8f9f5784ec49e4a5c1c
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/7f6b4587-9809-41df-a4f6-989116664e25/
Parent samples :
c23b4a05be1b5587fe7d4283c7a99e44b695f486db8f225f5eabf9d7df75f37a
fd9d390b651d3b1078f95fb90c8db50211a0d7fe2e22467991653e324e7b0b2a
29b828a2d4a02f4c3508e27714ceccea4e2d117dc0466671d334a6debd7a077b
9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0
8971036c709723136b99c2f912576f301c3a8ed94f28d6a65dc801ab7f652431
SH256 hash:
7607d453594e5e4477772d2a3f67cc6600bab336aa42b7ae924211e7170d53f1
MD5 hash:
e36a783433d3485d641c8fa7ebcbdb9f
SHA1 hash:
2c4e1e3a055c327f9f3765e8bbff204d5052e01f
Link:
https://www.unpac.me/results/7f6b4587-9809-41df-a4f6-989116664e25/
SH256 hash:
0ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d
MD5 hash:
2890a00ef6943ed98e2b7c6e3e49ae1c
SHA1 hash:
9072a751e68fe39222aebc87ffb898a423310ce9
Link:
https://www.unpac.me/results/7f6b4587-9809-41df-a4f6-989116664e25/
SH256 hash:
9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0
MD5 hash:
8e5286e3caa11c78e275892a38f2e772
SHA1 hash:
ddada2f646640b394c04e7166db04200d226281b
Link:
https://www.unpac.me/results/7f6b4587-9809-41df-a4f6-989116664e25/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
vidar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 9f619f332a9e5bd74a345778e86a871e9efb087bfea43ade7cbf9f63a12151b0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3063143/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
zbet commented on 2024-07-23 14:45:08 UTC

url : hxxp://77.105.132.27/rinqu.exe