MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe
SHA3-384 hash: 9e33d9a41d2ec928fc60d0532ff22eae7d1a266bdf8e7f2664e46b59e2bf8a61d54e0007c1b8218aae1d59f5f9f5a9a8
SHA1 hash: 5319123a505e379a75f00ee5a51588a97b2bdad8
MD5 hash: c835aa61191a38f357333fff57f6c81a
humanhash: fillet-shade-delaware-high
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:6'497'280 bytes
First seen:2024-08-27 16:41:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 98304:n4ItqPNZrAUcblYGW70NPPYi8SFJkOV2TgC6fGFVLOa/xfosZrG0tA:n47PNZPmWQJPYi8mkTglSJOa11xG
Threatray 206 similar samples on MalwareBazaar
TLSH T1BD66D0527398CE21C03E163BCCEE405403FDED84BA53DA5BB9B8B69E68123A11D495DF
TrID 39.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.3% (.EXE) InstallShield setup (43053/19/16)
16.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.7% (.EXE) Win64 Executable (generic) (10523/12/4)
3.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
File icon (PE):PE icon
dhash icon 69eccceae8cce831 (1 x Vidar)
Reporter Bitsight
Tags:exe vidar


Avatar
Bitsight
url: http://147.45.44.104/malesa/66ce00c2c1a2c_doz.exe#mene

Intelligence

File Origin
# of uploads :
1
# of downloads :
420
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
https://tlniurl.com/2yI2Nm
Verdict:
Malicious activity
Analysis date:
2024-08-27 16:48:44 UTC
Tags:
evasion privateloader stealer loader risepro stealc metastealer crypto-regex alfac2 lumma themida telegram vidar miner netreactor amadey botnet
Link:
https://app.any.run/tasks/81b8762b-b92a-49d8-99ee-5f9e1358804c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Malwarex-10033462-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ce01e17a17e3c687228fa1
Tags:
Generic Static
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a file in the %temp% directory
Сreating synchronization primitives
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
90%
Tags:
explorer fingerprint keylogger lolbin net_reactor obfuscated packed packed packed vbnet
Link:
https://www.filescan.io/uploads/66ce01e569e831fcce7f5395/reports/0f8aafa2-1f0e-4415-b02a-4e3cc4e83542/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92496135-0fe2-41ab-ae81-db6d468d08d0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1499979
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499979 Sample: file.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 38 steamcommunity.com 2->38 40 stadiatechnologies.com 2->40 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 9 other signatures 2->54 9 file.exe 5 2->9         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 9->28 dropped 56 Found many strings related to Crypto-Wallets (likely being stolen) 9->56 58 Writes to foreign memory regions 9->58 60 Allocates memory in foreign processes 9->60 62 Injects a PE file into a foreign processes 9->62 13 RegAsm.exe 1 235 9->13         started        18 RegAsm.exe 9->18         started        20 RegAsm.exe 9->20         started        signatures6 process7 dnsIp8 42 stadiatechnologies.com 95.164.119.162, 49734, 80 VAKPoltavaUkraineUA Gibraltar 13->42 44 94.130.188.148, 443, 49710, 49711 HETZNER-ASDE Germany 13->44 46 steamcommunity.com 23.197.127.21, 443, 49709 AKAMAI-ASN1EU United States 13->46 30 C:\ProgramData\vcruntime140.dll, PE32 13->30 dropped 32 C:\ProgramData\softokn3.dll, PE32 13->32 dropped 34 C:\ProgramData\nss3.dll, PE32 13->34 dropped 36 3 other files (none is malicious) 13->36 dropped 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 13->66 68 Tries to harvest and steal ftp login credentials 13->68 74 3 other signatures 13->74 22 cmd.exe 1 13->22         started        70 Contains functionality to inject code into remote processes 18->70 72 Searches for specific processes (likely to inject) 18->72 file9 signatures10 process11 process12 24 conhost.exe 22->24         started        26 timeout.exe 1 22->26         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-08-27 16:42:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
1486
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzmwbqxloa237ygjuirt4s4pszodtak2jfkyugoaew334xhw4x7a._file
Verdict:
malicious
Similar samples:
13368bfeba0fbf3160dbbb1155b1439b7fcdb0fb59baef1cc93207821e63465f
Vidar
1ebdbd7b94a764479be0363d620c6c6b2b41b5b55888c9546b22d050835b22ea
Vidar
59778733797d1033f33e5803810777b199bab7a53710c385c9f8b1cea648d4ec
Vidar
5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d
Vidar
6ae6030e6222a1400ce938e2ad2086253f1ff6d9d07b0be35fee6853e87bedc6
Vidar
b989a777efa314e11e12f01e6b8f1a7f193889241929090bc66f3d644f33dbc7
Vidar
c18daf8d23214417f5c2165c850ffe0e83b657d9ba045dde50757cfd5b5f4dbc
Vidar
e65f08b6749e63fea544cd201161e63abe6925e0e739faddda2bd4af5af56b97
Vidar
f6c3122dad40a01bcc6a2ac9a51b4182d457c2e634494b3092fb45eb98c7fc86
Vidar
+ 196 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:3cfc20875310168e85cacc85bfe8cfb9 credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240827-t7ncyssdqn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Detect Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199761128941
https://t.me/iyigunl
Unpacked files
SH256 hash:
381d65417c5972da260fc4b94b74750b5036696a5045c9aaccbe7b9e2d2321d7
MD5 hash:
9392bd8d638e15dcacfd14d305db92bb
SHA1 hash:
e090fff5421b6ca81f352de8c674c00f680de41d
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
Parent samples :
c4af46f2a357b68ce8e5830d9639e0c9212c61ae5d0fd1bb283812217a14ab72
a67e68ae707f413ef9e64fa53d661c3f60c7bf466af1b547da818d9ac01e10a0
0b937b6b47796295a7ad405daee481beb8ac1268e5b2121996f1c514378968da
f7bbd59299cad16b2cb4916738ad1475f61e129763cae617f1f9184f20db1d99
8db41f098bd838123616c5fe1b05c54b047f7452dd372a6ace3ba2afa63b0a51
dab2dc490b25687fd6052d53dafa3a74d7685a5429a371a8232f1340d1d498ca
b3e2fe43f3024cc479415e745cd9826752debe4e8b208e5e5b7cc510723b787d
21381b405bbb2d1ac38f1d908e0dc8a399fb2401d2ed1c1a300a2144626f9add
09e1282f189d10eeb293867d986a722128839971746dc8592fabd2755839a8a3
9ae0469bb6518417e8cf3e431550f4ee21130757fbea543a639fff11c836e357
a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848
22de8b75a29407cf6a0e3d283ec31c907948d772e765c1c437d8bc1fe8efb34b
9e9c2fb86b9215aabb51108105b5c5a553f9c2d4904f8f03c4a8b7ff3602c989
a51f55434ef4466043357f63161a7e4a91194b7a8bcb53d7d6074135446f29ce
d68c0cbd111da5fb8346d2612734f34e34cc975b73c2a5729c2793dde3d3d791
fc1e9a1378fdb34e8c938554eaa897134232b07e9401e60f0667dc119c3c2ed3
dbf55dd5c00f37ec49e1b661228adcc0a286b3eabb35d2f85fc34d82076107f6
2f9767983de2257e20ce2039c83deb6bc93db04417a706be56ff077c0784aa54
de35d4193e3e6b9410a748c59bb2e0fc84ea2a3f16cc8d9d1d598fb32f0f0d4c
136a221cf955b23885b2c5a030d1363a667a8742785b02d9737b0f66e6dba6a3
ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe
abea6ee012f90afa881358ede9697e15536addec7ce52f4d8bdc9429f56952a2
26de39355a5ffb112e494503f44bd63c8e2bc7dba35d58fedaaea1c84f868748
6c6e7eda17d7296d5c0c0cda8db200d0248c14f8682cbd7d3ffff110916e3cf2
1cf403233a05fd6140f33df350f8edccf51eea02746c6ba4ab3e31b32b8bab44
e9bfe09ecd33a97b7e599888c626daf2c97848aa4c2ffc6631404496fb7b312a
11f7ecd0569fba241fff758417113ab60c8f8cbed796222c3883037aa3ece16b
fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7
d83c67e9aac5d88da1c30ab4d05bb0ad08358532d298e8cf60b9d8798c262ce4
45bd836cdf29ad666cc785f6df5e9ff0e43e9cb63ff06aca339fdb1f3ddbfa34
bc3a6941205c1bb9be465e5cb20842bc6ae2e7aaea8f374e1c411bd02b89b697
1814f8b1c1223b93e9b6ae699f7f8f25fb543ad511e349f39219a4ec222f4f05
65e67f728f8f7694f68156ad4ed80825739968701ea1535291d489ef3dbebe06
f7e542218783c81229c438685de0c7c29a619790796833069eddb97b2eb34d29
ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876
038ae1968e1cc1424184b684200cced6e2ddd84d4d8557fc2a10330cb754f44e
319d1dc217b7e83a85dd62cb2c066156ba5579087f11c991a99089606979ca28
aa66c3988f3631925873757ae73ac5630508a43e2eebe6c0502a4d3194de8e41
9df8349c91ff8bdee71cf3e257a0d2f6bab02dffcb92d16de350b9bc2cdef4f7
c98d20df81567c0b314ba81bb8deb937eb385eccc352fa61258c58800d53a3d6
acae26cfe00f442507c384c69eb5a85326754c214795becd65ad4e798e881a83
ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05
aa2cae824c23fc15f2ef9fd64e369a78d49f1a068737a01c7697bae442971410
45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85
c2f99e83841e2f7e1fb0db047e5439fbe10a8d4b991a20e17a25686ea330f012
4b5ebae450e293ef4c62d3f57738bbbf33db5e28f987ed02bef8320271adaba2
1a540e531c521fd2d18ea3b8d4d4557428fa58c08a7cd7298d35f68549cee60f
279af267d365013227156575dcf61b6977ce4051dd4632515bd224314cea7c59
e301b79d4279d52c49c886fcd0ab8acc3941c5cf28c7dd0eb57e8af81fe476fb
350b72b192ad0cef2708a199ae5e89572b3a2a868488d9cc97785ed5f4d9c5d2
d4156fd0ebb875daabc39995fd95f15356eaff32f185950889e6773551827a5c
f093c3d6caae966180b506123ceba03a980cee862c6d27ccf1cbc31a4803ad8c
86772d44d0e2a57a8c2c0c410dc8b5380b2be24d078f0c79c05c9daaa56cd682
88efb8b6990e916e7590c2bd3f734f390f7c3d7b517a5fdc1baba0a2f6fbd54c
699f99c4fe9e5df1b13445278ba21139ee16200fc94051a735609c5d5a1076f6
89e1469f5157b653a2333d3f71926c45716c0ac996272818e8944ae4771bae10
6129a8293f509d2526bddf354847bbb8616f87fbb02b1742f7aa1587427b39fe
c35431b8db327238a32ce86f4f65b57571a57ce552d79e05cd49b53d4dc66f97
ee4b3ad0ab7aa01d1c44e47bf7515628770a6d2458e4ed8f98820c5ff1883fa6
351e95c5428552bb9c7734783a64c089ff966eeb96d3f2daee601041f9c091cb
1e9928ca23eb356b43f03adc13f2c2aa9f7d18a5b832973ebbee5b0a77574022
4b5a876b1c230b28c0862d5f8158b3657016709855bf3329d8fea6cada3adbfe
9e0ad460f7b2d121b0b6aae272ecafb0a0ca1bc5dae4f97f98683be27807ad43
13bd8193c4d494467aeaaa92c318a714ee1bcf788b2f46ccb110e7a25abad428
fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d
771d0ba5b4f3b2d1c6d7a5ebe9b395e70e3d125540c28f1a0c1f80098c6775ce
d8efa36e63e09c7999fa217695f94d05e6ba642588f5a9c8f5807c8c816b93c1
446b0fdcf0c64b121801a4854ffe721e1936e88fa31c9903a8f31ecfcb5bf58f
06f579ca0e4fbc7c1217722be90aa2ed0b9c4209c9abb474e3695e5a9b834734
3bd05aa096c69b414698dcaa85732a24062f69297fb6417094cc6b879f8b3e75
SH256 hash:
74c69f87b0de3ec35b4ef94fb3788920d53b54f66b032c3edf6475c6895e1029
MD5 hash:
f258bd2e6fa142a1a92f3b713f418af5
SHA1 hash:
66ba112d5d371c3d6d989eb4f888d3d6bf66f8de
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
7c481d912b9a0544be98ef16b297f228e3aa9e503d6b6fdf82750a606107c126
MD5 hash:
bdaa3f90e416ff882a373623062f2eac
SHA1 hash:
4d0460bd50208b86be3976974e22ffec73ad0412
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
Parent samples :
2f9767983de2257e20ce2039c83deb6bc93db04417a706be56ff077c0784aa54
ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe
SH256 hash:
f40ca223229eafd182d73457b75378e3100e2e8cc5e0ac47a46e64667a8a3edb
MD5 hash:
a35fdd90201efac8b47a99539f83c2bb
SHA1 hash:
c02ed730f3c0d9ffc4f114c37c0c29e5a2ebb6db
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
d267345e706805fa3642ca82030313e339ff16704f904bb31fca2e0de8446f7f
MD5 hash:
5e11acc84e2f8f3fdf515b68105e52c2
SHA1 hash:
5233bf2e653a567f0f628335d2068cddba6b81e2
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
cac7b447fb977ab526ca9e2af51dc65aaa250161c4f78766d3816bdcdce5f9c1
MD5 hash:
af26c4447fce847e4b734f5cfe211a6f
SHA1 hash:
aa63e20b94aecb00e1accbf790284f69f7ad266c
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
c19194e02a6c1dff3073be0ae4ccce8bf5c08fefcb45e8c0ecef11f94907add7
MD5 hash:
f99ed5926afccc085807f5ba0173b44f
SHA1 hash:
3b8f8950613890503fd9f51622cd14df3de39aae
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
beb803e2c0004bfd1454255e7d4646d20a78e07993d082379ff184f4617d48f5
MD5 hash:
ae6b768fb7bf735ea79881d63c303729
SHA1 hash:
f2f1c5eb78c4b8bd938ea688820045d2be24a06d
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
b4214aa201ed9bb8f266d58c52e78b7dfddf9442ab3e6c30893521eadc051667
MD5 hash:
a1eb9d26da64c07b41cbbdbd494ed2d8
SHA1 hash:
994f4b0bb52e90f1f2608648b40489af9e7ec7e8
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
4a702d9d35a34b87a071e54f49bde98fe9b902cd07e7185fe521d3b2875e24ab
MD5 hash:
ec9156abf896d4131806cceb9262c1e9
SHA1 hash:
777d83b387c43240250766a69d683a1d74d983f4
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
1c727f23c18f3fe3e14a04762db83af3e1faf628965098091948bb21bd5f7639
MD5 hash:
d555f2ada097bf0b8f4ce5f5fe52d795
SHA1 hash:
f40d4a2eda3d6e74ffe3c6241f8940ed1fb116ce
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
1a5da5bf6e28297ee9cff0f3dc86508cd35ac2b5d91d355ea857483578442ae7
MD5 hash:
c3556c855e43d26e2f13f4cc34f58381
SHA1 hash:
fd7ca219e49bcf773751465173bdd9c34bac109f
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
15d961ff847892934deb11ec2fee36996bf002ce4e83f64bbff216779254010c
MD5 hash:
1a1cc5d758d91c267b82ac956b3328d8
SHA1 hash:
ae96c0ab6247de4b57a0797ca8274f0c431c7d02
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
01a38e2c292a9364404e006a6215ba141bb973947854d4381dd578be33ee1694
MD5 hash:
3b5fb5e3c57482e4a37a557ecda6e192
SHA1 hash:
aa31702b6e0aaba121cbe6d6f353fe16af6a6059
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
SH256 hash:
ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe
MD5 hash:
c835aa61191a38f357333fff57f6c81a
SHA1 hash:
5319123a505e379a75f00ee5a51588a97b2bdad8
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d79345ff-a96d-45ef-bc29-8ff7e7778610/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3131151/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments