MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128
SHA3-384 hash: 4c9709768eeff9e60d778827fe93d13a7a031b64c1bc47a379fb30066797086f13132d2a8a3b77ec55a0bd7e210c69e0
SHA1 hash: 196faab04a4dcb3be42de4cf6b1e285f971f0e8d
MD5 hash: 9480e05f69188e1de340793d85d76169
humanhash: yankee-ten-zulu-don
File name:setup.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:334'336 bytes
First seen:2023-04-27 00:13:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fd12f8d1ea172054b775d38fe9a5aa5d (2 x Rhadamanthys, 1 x Vidar)
ssdeep 6144:C24oSdb1I9TORmtyqX+2Q/rsNW9aMUuEsbm6ckJC:C24HRmYqX+2Q/oNwaMHBV
Threatray 643 similar samples on MalwareBazaar
TLSH T1EE64F1217A91DC73C85744F01824E6A49B3DBCA0564945DF13D83FBE6E336828ABB3D9
TrID 60.4% (.EXE) InstallShield setup (43053/19/16)
14.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 01a4b29888e4b080 (1 x Vidar)
Reporter Chainskilabs
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2023-04-27 00:13:50 UTC
Tags:
installer stealer vidar trojan
Link:
https://app.any.run/tasks/16db6d06-de33-4e08-b074-03245ffd6c7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385132/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/81587/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6449be4b0bac81e8385a3976/reports/fd6341ad-56a6-4217-a75c-6048645c0420/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/137cb80a-eb03-4786-9905-8e8ca3a2b140
Result
Threat name:
Laplas Clipper, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1221903
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Laplas Clipper
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 854858 Sample: setup.exe Startdate: 27/04/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 8 other signatures 2->59 8 setup.exe 21 2->8         started        13 ntlhost.exe 2->13         started        15 ntlhost.exe 2->15         started        process3 dnsIp4 45 t.me 149.154.167.99, 443, 49685 TELEGRAMRU United Kingdom 8->45 47 116.203.220.83, 11111, 49686 HETZNER-ASDE Germany 8->47 49 transfer.sh 144.76.136.153, 443, 49687, 49690 HETZNER-ASDE Germany 8->49 41 C:\ProgramData\85966885269322940274.exe, MS-DOS 8->41 dropped 43 C:\ProgramData\48212924293268859381.exe, PE32+ 8->43 dropped 71 Detected unpacking (changes PE section rights) 8->71 73 Detected unpacking (overwrites its own PE header) 8->73 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->75 83 3 other signatures 8->83 17 85966885269322940274.exe 1 2 8->17         started        21 48212924293268859381.exe 8->21         started        23 cmd.exe 1 8->23         started        77 Query firmware table information (likely to detect VMs) 13->77 79 Hides threads from debuggers 13->79 81 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->81 file5 signatures6 process7 file8 39 C:\Users\user\AppData\Roaming\...\ntlhost.exe, MS-DOS 17->39 dropped 61 Multi AV Scanner detection for dropped file 17->61 63 Detected unpacking (changes PE section rights) 17->63 65 Query firmware table information (likely to detect VMs) 17->65 69 3 other signatures 17->69 25 ntlhost.exe 17->25         started        67 Tries to harvest and steal browser information (history, passwords, etc) 21->67 29 cmd.exe 1 21->29         started        31 conhost.exe 23->31         started        33 timeout.exe 1 23->33         started        signatures9 process10 dnsIp11 51 89.23.97.128, 49692, 49693, 49694 MAXITEL-ASRU Russian Federation 25->51 85 Detected unpacking (changes PE section rights) 25->85 87 Query firmware table information (likely to detect VMs) 25->87 89 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->89 91 3 other signatures 25->91 35 conhost.exe 29->35         started        37 choice.exe 1 29->37         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128/
Threat name:
Win32.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-04-25 14:02:26 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlcl5dne3vq3tsam3vh37uzkziiytfdwiqyyu6rwe6sqfm7y4eua._file
Verdict:
malicious
Similar samples:
17c93fb176f59f4887e4a957b6af15270964abf3651540bdca34b0cf91c47428
Vidar
3c1ebdf7ddc8c5332ff02def398851eecee1329326f851e9adc135a6a25e4e98
Vidar
558da56234404dd337be2a22e2493aa6c140b7688e58a17236dc95da0e5162eb
Vidar
722e5c23eff7116dead7e70f52673519604efa15a2743939034cb2fccd1c4672
Vidar
8e517eff9f5660d37b9eea72e56a3133e85889a36f7ffea1b11a1e31f8baf001
Vidar
9d32dcd66ddeff3c376b08f6c76d28a3b577eebc2f0d8b9ba1781109ec3d6c62
Vidar
c73c5027ec11576250105ea0664c33a51f3a19901c6bcbfd84d88c94f3482435
Vidar
dbf43bdb056da5d571f703a9f14a5b89eed377e0888a695ff4b8b066febb558e
Vidar
e814d34a0eb17347413d34653b7fca514c931eb1a5317012fe44d54c09617fd4
Vidar
+ 633 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:laplas family:vidar botnet:2234cb18bdcd93ea6f4e5f1473025a81 clipper discovery evasion persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/230427-ajcf1acf68/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
GoLang User-Agent
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Laplas Clipper
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199497218285
https://t.me/tg_duckworld
http://89.23.97.128
Unpacked files
SH256 hash:
86b6471699740e009dd754d8094132adbcbab400b3c04d27f100e82df312bd12
MD5 hash:
f8a9a8d2d99d81315230ad03cde33cd2
SHA1 hash:
10c5d88a09581f7d57e87655665a6d2c565969dd
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/4cc3c6e4-71c8-4a00-9f08-b946dad7af3d/
Parent samples :
d1006e8c4e1a70535c19a92bd80f3b5a7188e5089157725b0f37e0c5cac391fe
83e593364f1beb5811a8a29f95e5a3b674cf3eba6fd8bcf5a5231d9c668a8987
d927d33966be61de99eba33be4efb7b09ac5348e17caadf92dbcc094a8ad663f
1b50395ebaae62aa4ad19a514a0cda4b8f74aa915dfe0c0df49a3aee08c605b7
797575606aa8f510d7d84596fcc81180354f0b65ec50ed5864ad6c18d15f3086
3c1ebdf7ddc8c5332ff02def398851eecee1329326f851e9adc135a6a25e4e98
722e5c23eff7116dead7e70f52673519604efa15a2743939034cb2fccd1c4672
fc02a63e0ca8682216bd68c561a4923f9f1828a0fd5978160282f52b777ebc8f
37f90d14d9b6dbc7813b30dea8379637336a2e8219110dd0c479f2dc5d7a5fd5
7564e44c0b07a0f161c5a245ba8f2029ea70a297a5f9944c4c786a75f1e8524a
005dce2ddcdfce4418c7782afe3d59d6ee9cb8a3f0a9f303ebf92b60151aa55e
bdcc0932f31bf8478356b9d2df3e6613385dfcd6f1179a70300430d5759298d5
2c3399c0b13dde9c28a4bbcbd0c45a61238736d09123c838e1a8765194874c30
354a1d3180f92329cae26075d2a152561df4d9bb2b8254b50ac4b97c7ee89e06
442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696
d3564cf77d63b9b2ec8cf914958453f19e0d1032f4ea4665fe05b2284decfb0a
d63913dd7bb4c567c5e752149ebd9f90023a34f49b75a585e6f67c6834dc24a0
67770d3ab80bd1d5d9c2be66f5bb8084f61c15a3060f84cdba21852e9609eb64
54fe4ead4f5851ffdd4ee657632740a6095f362a34d593b04dbf0a2b339fc4c6
be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0
fa3dc6c4c0ce44fcaf84b68d5578976bd0f6c5ace4a4c57d6a9c39d2ca5eab47
9b18f5731f338a90ca3a226572e21c2c958c345d6adfa40f8b012a79f412dae5
aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128
1a945013489a88af369312fbce20f6701fb0df180e29113533d1cab036ce66a6
396ae4c1158897e71763b09fe32b147bba5414531a46c53b11ff8ccbd4589d6f
e6e4ba6207c487fbd207a88cd71d12203e8899daf72a6819131aa805fb0c4444
d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9
SH256 hash:
aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128
MD5 hash:
9480e05f69188e1de340793d85d76169
SHA1 hash:
196faab04a4dcb3be42de4cf6b1e285f971f0e8d
Link:
https://www.unpac.me/results/4cc3c6e4-71c8-4a00-9f08-b946dad7af3d/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aac4be8da4dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Telegram_Links
Create hunting rule
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_vidar_a_a901
Create hunting rule
Author:Johannes Bader
Description:detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2615191/
  
URLhaus
https://urlhaus.abuse.ch/url/2605501/
Cape
Cape
https://www.capesandbox.com/analysis/385132/

Comments