MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 18


Intelligence 18 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6
SHA3-384 hash: 6ab4f803307c0a31295101f428e9dcc23885aa49501780cdaa40bdbe3a6daea122c4a2a209278851cfa1a93c53767646
SHA1 hash: ac0a17d270718ef62769bdb0e739ea00cc72ed5f
MD5 hash: 71be3c01c7064efaa019e6259ccb0602
humanhash: snake-mango-lake-river
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:4'633'600 bytes
First seen:2024-07-19 06:57:34 UTC
Last seen:2024-07-23 15:38:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:7Z1+pGv8jsaqIZbEGLI061udzR1uyA2bLMYjEyFG9EJKoyiA9VJTaKyDSy:7T+Av84aqvq7XKoyiSVFaDT
Threatray 1 similar samples on MalwareBazaar
TLSH T141266B02B7C4CE12D06B1637C9EF802417FDFC44AB53EA2F7A99736D2463765190A2DA
TrID 49.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.7% (.SCR) Windows screen saver (13097/50/3)
7.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 2dccdad3e20ab2f2 (1 x Vidar)
Reporter Bitsight
Tags:exe vidar


Avatar
Bitsight
url: http://79.137.192.13/prog/669a08aa861a2_filemanager.exe#mene

Intelligence

File Origin
# of uploads :
2
# of downloads :
438
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
https://trendyscreenofficial.com/wp-content/driect/district235489v4.rar
Verdict:
Malicious activity
Analysis date:
2024-07-19 17:11:35 UTC
Tags:
evasion privateloader discord loader risepro stealer stealc telegram vidar metastealer themida redline tofsee botnet adware neoreklami
Link:
https://app.any.run/tasks/ebd3ef99-53b2-465c-84a2-d13fb6507cf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Malwarex-10033462-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669a0e83b302ab76f447f190
Tags:
Static
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Sending an HTTP POST request
Running batch commands
Creating a process with a hidden window
Forced shutdown of a system process
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
anti-vm anti-vm net net_reactor obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/669a0e7dcbb32227b6a910cc/reports/18df0947-7119-45a8-91a6-716f6ba7b617/overview
Verdict:
Malicious
Labled as:
MSIL/Kryptik.ALRL trojan
Link:
https://www.hybrid-analysis.com/sample/ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff643a23-9882-4fd4-b280-38add3729704
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1476558
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1476558 Sample: file.exe Startdate: 19/07/2024 Architecture: WINDOWS Score: 100 31 t.me 2->31 33 fp2e7a.wpc.phicdn.net 2->33 35 3 other IPs or domains 2->35 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 10 other signatures 2->49 9 file.exe 2 2->9         started        signatures3 process4 signatures5 51 Found many strings related to Crypto-Wallets (likely being stolen) 9->51 53 Writes to foreign memory regions 9->53 55 Allocates memory in foreign processes 9->55 57 Injects a PE file into a foreign processes 9->57 12 MSBuild.exe 1 38 9->12         started        process6 dnsIp7 37 t.me 149.154.167.99, 443, 49710 TELEGRAMRU United Kingdom 12->37 39 95.216.182.106, 443, 49711, 49712 HETZNER-ASDE Germany 12->39 41 arpdabl.zapto.org 77.91.101.71, 49743, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 12->41 23 C:\ProgramData\vcruntime140.dll, PE32 12->23 dropped 25 C:\ProgramData\softokn3.dll, PE32 12->25 dropped 27 C:\ProgramData\nss3.dll, PE32 12->27 dropped 29 3 other files (none is malicious) 12->29 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->59 61 Found many strings related to Crypto-Wallets (likely being stolen) 12->61 63 Contains functionality to inject code into remote processes 12->63 65 5 other signatures 12->65 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Score:
64%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-19 06:58:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vv7z4skjgq6i7rmizgpxjjwqtno6k7kksdsi4ab2fd57bsaoycta._file
Verdict:
malicious
Similar samples:
ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:3a901b2c4dd248059af72250cf07aba7 spyware stealer
Link:
https://tria.ge/reports/240719-hrhlzs1ena/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Detect Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://t.me/s41l0
https://steamcommunity.com/profiles/76561199743486170
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b0fcbd64-3993-4aa1-a921-2d84f8eb0f86
Unpacked files
SH256 hash:
81cadb6a9546328647f2fbd1713fcf8ee49921c6a0c7b155f6d287acddab5fd7
MD5 hash:
eb029ab5c2f8de328736c53dc3c7df47
SHA1 hash:
e05c4fba0236fee2516bf53a287e41e0e97a0ee5
Link:
https://www.unpac.me/results/a4819fda-7fc5-4550-9865-b2ebd3225c9f/
Parent samples :
12df075fcaec366639ab37f203aa412540f351ee17e7f126a4a126e7a61c2a9b
b8a5ef9ea9fa588907a197db55c743559460190aa58b227db10d6be75d8bfe39
e603e36cae3f0fa9badbeaeff8fb0becb1ed444776892db76cd8d219e2ba92bd
SH256 hash:
4f1b5df9e5dc09f008f79e35864b12a8633744129b7813d9d0bbac501c1897eb
MD5 hash:
eba3193a9e3f0962ccf5d09279916618
SHA1 hash:
a223bc5c7413275f18942bb6203143bc0085b15c
Link:
https://www.unpac.me/results/a4819fda-7fc5-4550-9865-b2ebd3225c9f/
SH256 hash:
a88b86575b9f44bab08276a41f4851401b21b5e45805e35c2ad72cc326c37576
MD5 hash:
18bbb3f182b975601f24f723915192c1
SHA1 hash:
2d41e2725011a4cc18f7c8b094175d0bafc9433a
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/a4819fda-7fc5-4550-9865-b2ebd3225c9f/
Parent samples :
fe8bed09a836755e33c1ad4cae1ea15db42f7f5b5ac669d9a359d8c4fc1df9a1
a88b86575b9f44bab08276a41f4851401b21b5e45805e35c2ad72cc326c37576
2ccc095e2b7de720513d290dea7ad6cde991ebd3773f5140489a461873cb2ba6
fa41bf610e2af66a75a73cb1d348aecc9a275756710c05be99220bbddbd34674
ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6
cd866b4aa47daf4efb5f4800b7972404a4dace852d2749ca11cf341ca63a368a
34fea1a2974d12c2d3424ac6c9a23c6587cfad57002b2e6d335b6899f1261e48
b0298a97ebb4c9fdcdc38b916343639e78d8ddc92832ac95707a6d9f83fbd68a
SH256 hash:
0ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d
MD5 hash:
2890a00ef6943ed98e2b7c6e3e49ae1c
SHA1 hash:
9072a751e68fe39222aebc87ffb898a423310ce9
Link:
https://www.unpac.me/results/a4819fda-7fc5-4550-9865-b2ebd3225c9f/
SH256 hash:
ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6
MD5 hash:
71be3c01c7064efaa019e6259ccb0602
SHA1 hash:
ac0a17d270718ef62769bdb0e739ea00cc72ed5f
Detections:
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Link:
https://www.unpac.me/results/a4819fda-7fc5-4550-9865-b2ebd3225c9f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe ad7f9e4949343c8fc588c99f74a6d09b5de57d4a90e48e003a28fbf0c80ec0a6

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3052256/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments