MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6fa048ba4866856c1d63a7a660c82806bf4debdce985d49e7b39946debea76b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6fa048ba4866856c1d63a7a660c82806bf4debdce985d49e7b39946debea76b
SHA3-384 hash: 5724cb43a371829e95d9ef4fdca1caef2c1022c46795bff948e65d00aaade75c42202c8913b9ba6b3a0ea50846e49c66
SHA1 hash: 9cecabc32e4f26ae28aaf3997609ebc930796e39
MD5 hash: f87b1fcaa6cd80dc7f79c5db889ac480
humanhash: three-enemy-sad-coffee
File name:file.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:352'768 bytes
First seen:2023-05-03 18:08:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 43b84a19b996f82f90acda908578a933 (1 x Vidar, 1 x RedLineStealer)
ssdeep 6144:vPfnq+uvhWt3qbFVuWaWN1YdXI/sycroYFC8TSF2Mw/IXcVLF6XVaL:y+uJWtabFGWN1OXYsH8uC8TSFNwHH8I
Threatray 5 similar samples on MalwareBazaar
TLSH T17274DF0372D1A875F327B6308E2AC6E42A1EFC61DF656AEB37546A1F0D701E2C572342
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000402018400000 (1 x Vidar)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-03 00:39:18 UTC
Tags:
installer loader stealer rat redline arkei vidar
Link:
https://app.any.run/tasks/9873cf43-0312-4c4f-a5e3-da092e95799a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386305/
Detection(s):
Win.Dropper.Tofsee-10000005-0
Create hunting rule

Win.Dropper.Tofsee-10000022-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Searching for synchronization primitives
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6452a343c64afd2b9825785f/reports/27f9f637-1962-41de-8cc2-4329e6232ba0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b6fa048ba4866856c1d63a7a660c82806bf4debdce985d49e7b39946debea76b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/141116ae-83f3-4489-87a9-33f37f14e9dc
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1225579
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6fa048ba4866856c1d63a7a660c82806bf4debdce985d49e7b39946debea76b/
Threat name:
Win32.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-05-02 18:42:23 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w35ajc5eqzufnqowhj5gmdecqbv7jxv5z2mf2sphwomunxv6u5vq._file
Verdict:
malicious
Similar samples:
04e61761f74029f6ba456910866ad2011b9780cbf036a1dd7b050605f98ff7ab
Vidar
45ac86c9c4501113f3912d513270d66a5c7bf5a6edb0a89fbb23965271b1049f
Vidar
7f5027cce0e8aa45f9a86b13328ce878fd640137449638ea0bc28be155e311ad
Vidar
810be76ae3ecc5ab7f019f91979ac9ebf76ed220a7b42c2254a21ec660f8289f
Vidar
babe6467feb2750f32a113b970674022ff1cf3248b724f69c837df0b55a2337d
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:37444c997bc81a7d4e2a48b7b63a1f66 discovery spyware stealer
Link:
https://tria.ge/reports/230503-wrfpaahg2z/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199501059503
https://t.me/mastersbots
Unpacked files
SH256 hash:
ac893efc522e111b33a9553d6799684f32710ca068ea717e49592f9e9f2b51cc
MD5 hash:
fc4a86dcb3e48a9607e88653f655d889
SHA1 hash:
6c251f5634ca80e8758fc72369a1e4a1875d4192
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/768f84a6-d0b9-4abc-bc90-39fcfb776d17/
Parent samples :
b6fa048ba4866856c1d63a7a660c82806bf4debdce985d49e7b39946debea76b
673891c9333bf531b86a8bd76fd4bea2966601f3db6ab53a9e1d5cd8d15171d7
SH256 hash:
b6fa048ba4866856c1d63a7a660c82806bf4debdce985d49e7b39946debea76b
MD5 hash:
f87b1fcaa6cd80dc7f79c5db889ac480
SHA1 hash:
9cecabc32e4f26ae28aaf3997609ebc930796e39
Link:
https://www.unpac.me/results/768f84a6-d0b9-4abc-bc90-39fcfb776d17/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b6fa048ba486/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6fa048ba4866856c1d63a7a660c82806bf4debdce985d49e7b39946debea76b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/386305/

Comments