MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad4e377633b5f0a87ad2a4a6b741615016de79605225737fc4ba5c70308c5e68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad4e377633b5f0a87ad2a4a6b741615016de79605225737fc4ba5c70308c5e68
SHA3-384 hash: 999ffe680da78d226da083386b57d58cc067d1189f5e40c2c28960d2b3211e8de899fdc31f3dbc9f6bfe8b86df78da7a
SHA1 hash: 6ba18746af689d249f20c2f5951f0fe6024a2455
MD5 hash: 0a42fee9fcb7176b17c39a2af5e7e9db
humanhash: london-july-oxygen-table
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:2'077'592 bytes
First seen:2023-02-06 06:13:27 UTC
Last seen:2023-02-06 17:42:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 26576ed4d825fc7d7b1056b6b8d52646 (1 x Vidar)
ssdeep 49152:pFEKlMYVJ0NyXW/s31KT65UVLz4lgVW4vxCluT05rckHoxx3Q:vEywpu1KT65Up4lAB46MreA
Threatray 2'352 similar samples on MalwareBazaar
TLSH T166A5AD2326349477E6A90DF08DA4BB157A87D9F113AEACC34426A6DF42264C5CCF137E
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0cc8e96868ef8f0 (1 x DCRat, 1 x Vidar)
Reporter andretavare5
Tags:exe signed vidar

Code Signing Certificate

Organisation:www.fancy.org
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-03T03:28:13Z
Valid to:2023-04-03T03:28:12Z
Serial number: 0424080849039b6f8858d6477fb094cda036
Thumbprint Algorithm:SHA256
Thumbprint: 5fef871c46ba950f271050495a759f648227bc72c7de078adb9754c33bd824d9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc712319849_660866526?hash=IXkQM6MMBTjc5jzSklL4cuVL7rOPMrnmHxxPTOWKkMw&dl=G4YTEMZRHE4DIOI:1675193634:0byE3BmIQC0EcjhZMp9aGJqrwz1vBQl4unHGRFk7xnT&api=1&no_preview=1#us8

Intelligence

File Origin
# of uploads :
28
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-02-06 06:14:22 UTC
Tags:
installer
Link:
https://app.any.run/tasks/1e956998-2d26-434a-b2ce-e052bd8999e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360577/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.18026.18913.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a file in the %temp% directory
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Detecting VM
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65572/overview
Behaviour
MalwareBazaar
CheckScreenResolution
SystemUptime
CPUID_Instruction
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63e09aac96add6d1cf49c24b/reports/e72c5aef-2c97-43f0-b780-a5d898be633b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ad4e377633b5f0a87ad2a4a6b741615016de79605225737fc4ba5c70308c5e68
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/185bbec0-b408-4345-a35a-78b056f0e337
Result
Threat name:
RHADAMANTHYS, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166279
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates an undocumented autostart registry key
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799050 Sample: file.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 104 Snort IDS alert for network traffic 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for URL or domain 2->108 110 13 other signatures 2->110 11 file.exe 9 2->11         started        16 svchost.exe 6 12 2->16         started        process3 dnsIp4 98 3jglf0tfolvkkv9l3pxqhkbjzaz.ivqlnafjskaxu0 11->98 80 C:\Users\user\AppData\Local\...\5330953.dll, PE32 11->80 dropped 168 Writes to foreign memory regions 11->168 170 Allocates memory in foreign processes 11->170 172 Injects a PE file into a foreign processes 11->172 18 fontview.exe 1 11->18         started        23 ngentask.exe 16 11->23         started        25 WerFault.exe 11 11->25         started        27 WerFault.exe 11->27         started        29 WerFault.exe 16->29         started        31 WerFault.exe 16->31         started        33 WerFault.exe 16->33         started        35 WerFault.exe 16->35         started        file5 signatures6 process7 dnsIp8 86 109.206.243.168, 49707, 49710, 49713 AWMLTNL Germany 18->86 78 C:\Users\user\AppData\...\nsis_uns51baba.dll, PE32+ 18->78 dropped 136 Query firmware table information (likely to detect VMs) 18->136 138 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 18->138 140 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->140 148 3 other signatures 18->148 37 rundll32.exe 18->37         started        88 t.me 149.154.167.99, 443, 49697 TELEGRAMRU United Kingdom 23->88 90 65.109.7.48, 49698, 80 ALABANZA-BALTUS United States 23->90 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->142 144 Tries to steal Mail credentials (via file / registry access) 23->144 146 Found stalling execution ending in API Sleep call 23->146 150 2 other signatures 23->150 40 WerFault.exe 24 9 23->40         started        file9 signatures10 process11 dnsIp12 152 System process connects to network (likely due to code injection or exploit) 37->152 154 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->154 156 Tries to steal Mail credentials (via file / registry access) 37->156 158 4 other signatures 37->158 43 dllhost.exe 37->43         started        48 WerFault.exe 37->48         started        96 192.168.2.1 unknown unknown 40->96 signatures13 process14 dnsIp15 100 transfer.sh 144.76.136.153, 443, 49711, 49712 HETZNER-ASDE Germany 43->100 82 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 43->82 dropped 84 C:\Users\user\AppData\Local\Temp\Data.exe, PE32+ 43->84 dropped 174 System process connects to network (likely due to code injection or exploit) 43->174 50 Data.exe 43->50         started        54 Library.exe 43->54         started        file16 signatures17 process18 file19 74 C:\Users\user\AppData\...\UpdateSVC.exe, PE32+ 50->74 dropped 112 Creates an undocumented autostart registry key 50->112 114 Hijacks the control flow in another process 50->114 116 Machine Learning detection for dropped file 50->116 124 2 other signatures 50->124 56 InstallUtil.exe 50->56         started        59 powershell.exe 50->59         started        76 C:\Users\user\AppData\Roaming\...\WShell.exe, PE32+ 54->76 dropped 118 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 54->118 120 Encrypted powershell cmdline option found 54->120 122 Writes to foreign memory regions 54->122 61 powershell.exe 54->61         started        63 MSBuild.exe 54->63         started        signatures20 process21 dnsIp22 160 Protects its processes via BreakOnTermination flag 56->160 162 Writes to foreign memory regions 56->162 164 Allocates memory in foreign processes 56->164 166 2 other signatures 56->166 66 SMSvcHost.exe 56->66         started        70 conhost.exe 59->70         started        72 conhost.exe 61->72         started        102 45.159.189.105, 49715, 80 HOSTING-SOLUTIONSUS Netherlands 63->102 signatures23 process24 dnsIp25 92 pool-fr.supportxmr.com 141.94.96.71, 49716, 8080 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 66->92 94 pool.supportxmr.com 66->94 126 Query firmware table information (likely to detect VMs) 66->126 128 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 70->128 130 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 70->130 132 Queries memory information (via WMI often done to detect virtual machines) 70->132 signatures26 134 Detected Stratum mining protocol 92->134
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad4e377633b5f0a87ad2a4a6b741615016de79605225737fc4ba5c70308c5e68/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-01-31 22:16:14 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
14 of 39 (35.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvhdo5rtwxykq6wsustloqlbkaln46lakisxg76exjohamemlzua._file
Verdict:
malicious
Similar samples:
63043e1230b491042c4a30039ae44055b99134597aaf5f659822dc321489992d
Vidar
a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2
Vidar
ac2fcadee1d8209ad9d5f3842020adb3ec81d0bd0bf977a726edaecfd26ac317
Vidar
ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1
Vidar
e8ce6cee6554f2699605da7a59abe4ff81d96c5f2e4066e2314ddac92363fdd3
Vidar
ee8ea5570b0a2c9f6aef8e551cc0d3fbd0be45dc5c11c50ca7056eef2d85d77d
Vidar
f2eaeba4b3b7016304f9c348f973bf57a80dce2969f3a814250a0a506df4a5eb
Vidar
f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd
Vidar
fee142712ee9fba0c3cc57b4e314480bf976e4b1707bbeb202a58ca2b98f39bd
Vidar
+ 2'342 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys family:vidar botnet:701 spyware stealer
Link:
https://tria.ge/reports/230206-gzbmzacc87/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://t.me/mantarlars
https://steamcommunity.com/profiles/76561199474840123
Unpacked files
SH256 hash:
25f9ad76e16c6b3b2a50280d1d0f4fca4e5ca22711192cfe11e953af65d2588d
MD5 hash:
d678f30147f11f95f9dbd111b7d9de80
SHA1 hash:
e0a87fb41218da776521992197b0a0d5e2ea57fd
Link:
https://www.unpac.me/results/220c4533-81c4-4961-893e-63afea999686/
SH256 hash:
ad4e377633b5f0a87ad2a4a6b741615016de79605225737fc4ba5c70308c5e68
MD5 hash:
0a42fee9fcb7176b17c39a2af5e7e9db
SHA1 hash:
6ba18746af689d249f20c2f5951f0fe6024a2455
Link:
https://www.unpac.me/results/220c4533-81c4-4961-893e-63afea999686/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad4e377633b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/ad4e377633b5f0a87ad2a4a6b741615016de79605225737fc4ba5c70308c5e68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/360577/

Comments