MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af92599433f093b31aa91ecffac4fd100bfe2e89856bef9b85a7a9e418751044. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af92599433f093b31aa91ecffac4fd100bfe2e89856bef9b85a7a9e418751044
SHA3-384 hash: d36d20d30e85d624025ad1eb2c9dc4d9a462aa59a1c9945f8291114ec662c3ef479a8234024491298009aa91666ca201
SHA1 hash: 83f041fcd9f0ab4aa469a5cfa55ddbb717d88071
MD5 hash: cb093c783abeb21910a13cc86fc6a361
humanhash: beer-pluto-six-green
File name:Setup.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:3'616'848 bytes
First seen:2023-06-07 20:54:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:Ty3cawXotqPZcWEi7cfQyuyWNY2U61p5AtfSBSortDWTcu1FxzOTHT8xe:TMwYtqPZcgZU6n5A8S1FxF
Threatray 1'333 similar samples on MalwareBazaar
TLSH T15AF58C13B751483BC4521B35D89B91681975BE2A3FB3958B67A0BF0D3E327C0763A386
TrID 29.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
17.3% (.EXE) InstallShield setup (43053/19/16)
16.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
12.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.2% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon 64f0e732cbc2c686 (1 x Vidar)
Reporter iam_py_test
Tags:exe signed vidar

Code Signing Certificate

Organisation:ADATA XPG Gammix D10 16 ГБ (8 ГБ x 2 шт.) DDR4 3200 МГц DIMM CL16 (AX4U32008G16A-DB10)
Issuer:ADATA XPG Gammix D10 16 ГБ (8 ГБ x 2 шт.) DDR4 3200 МГц DIMM CL16 (AX4U32008G16A-DB10)
Algorithm:sha1WithRSAEncryption
Valid from:2023-06-06T13:23:46Z
Valid to:2033-06-07T13:23:46Z
Serial number: 2af717ef350123ac45dab9d827b90652
Thumbprint Algorithm:SHA256
Thumbprint: 08b98ed14a92eb7aee31da5ae41ce25464f046fcdf3fd2bb729574f73404b00b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://boraflow.click
Verdict:
Malicious activity
Analysis date:
2023-06-07 17:29:51 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/0ba3f964-bfe9-40a8-8040-79b01f6c75db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/396691/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28563.638.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger lolbin obfuscated overlay packed rat regsvcs.exe threat
Link:
https://www.filescan.io/uploads/6480eea785c2639e5c7e1a2c/reports/85dd33e7-0c42-4391-98db-60b129344f90/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/af92599433f093b31aa91ecffac4fd100bfe2e89856bef9b85a7a9e418751044
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02086041-ab32-46e2-bce5-5b1d32ec8ac4
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1250681
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af92599433f093b31aa91ecffac4fd100bfe2e89856bef9b85a7a9e418751044/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-06-07 20:55:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
232
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6jftfbt6cj3ggvjd3h7vrh5caf74lujqvv67g4fu6u6igdvcbca._file
Verdict:
malicious
Similar samples:
245247efeee2675a380f791323dd3b2b52eeddc0c1c033b7772c03a8c699b4e2
Vidar
4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49
Vidar
82515bb4fb5f3c67b48addca1f08cc2465690f8fac991ea30c68ceceba22a1d3
Vidar
8e353469e9a3238883c19d9471e6c9c9b6a487e25a7ba67ff0a94b89ebd2c610
Vidar
b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0
Vidar
d935d3deb9f86f85e9eb8ac73c617a4d0eac4c9bbe54e97522c02f79a34685e7
Vidar
f3917bfe3837372f34af459f01c0af768a616fb9c8a20c04994237695af925fd
Vidar
f470607204e84fa606ac7d37b59c646e1ece99380093a95ff79ab66289c47f40
Vidar
fd1a09c372f39636d4d547a96121d7da03bea79dabb95717a8636b0d7aed8194
Vidar
+ 1'323 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:28c8b36afa809659e21c14e7f6231b80 spyware stealer
Link:
https://tria.ge/reports/230607-zqe8xafg98/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Loads dropped DLL
Vidar
Malware Config
C2 Extraction:
https://t.me/rechnungsbetrag
https://t.me/prescilliouns
https://steamcommunity.com/profiles/76561199511129510
Unpacked files
SH256 hash:
d98fefe242d4bb2c0d17400a2febeeb8436bfe260658dad3474aabd276763ee1
MD5 hash:
22ddbb92b88ea18b14992a92c4026ecf
SHA1 hash:
f3121c56f6733111e0abdd4e7ad7acbed4505a80
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/bc1a2eb2-9599-4e7f-946b-89a350b56c73/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/bc1a2eb2-9599-4e7f-946b-89a350b56c73/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
af92599433f093b31aa91ecffac4fd100bfe2e89856bef9b85a7a9e418751044
MD5 hash:
cb093c783abeb21910a13cc86fc6a361
SHA1 hash:
83f041fcd9f0ab4aa469a5cfa55ddbb717d88071
Link:
https://www.unpac.me/results/bc1a2eb2-9599-4e7f-946b-89a350b56c73/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af92599433f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af92599433f093b31aa91ecffac4fd100bfe2e89856bef9b85a7a9e418751044

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

rar 4d152234f168692459b482981f469e96e4f933360295cd64f5089370a4b07118

Vidar

Executable exe af92599433f093b31aa91ecffac4fd100bfe2e89856bef9b85a7a9e418751044

(this sample)

  
Link
https://tria.ge/230607-zarl1aff36/behavioral3
  
Dropped by
SHA256 4d152234f168692459b482981f469e96e4f933360295cd64f5089370a4b07118
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/396691/
  
URLhaus
https://urlhaus.abuse.ch/url/2655465/
  
Dropped by
MD5 2335270ac5650be7668b84185f9dd4ed

Comments