MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0
SHA3-384 hash: 31fdc4b6fc543ef1e385ad257a59d1081b2cb1d8abd745356513b9db4c4a6f9106e10b121b76785322599408acbf31ed
SHA1 hash: c31d10faa53773d17822ee0ad70acf0839bec3d1
MD5 hash: 9fe0b462a779cff10d328e480332818b
humanhash: glucose-saturn-october-beer
File name:setup.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:333'824 bytes
First seen:2023-04-27 00:10:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b07758d5b167b27106e05a1732f0848 (4 x Loki, 3 x Vidar, 1 x RedLineStealer)
ssdeep 6144:vdCM4ZD2dI9UtxTPRcvughcUF6Zxpm2XxdDt5CHx:vdCM4ZD2OATPRaugh+m2XxQH
Threatray 53 similar samples on MalwareBazaar
TLSH T1E064F112B6E0CDF2F88681355415DEA9A6FABCA29A4582C733D87FAF1D306C05777390
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0086462442603048 (1 x Vidar)
Reporter Chainskilabs
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2023-04-27 00:13:50 UTC
Tags:
stealer vidar trojan
Link:
https://app.any.run/tasks/e1e177c4-13c4-4e5f-aff8-a75c73a13fc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385129/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Searching for analyzing tools
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/81584/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6449bd98f61aa38da9fc11df/reports/2eaf4791-bb93-4bb1-81d1-67019a4d23b1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da83036c-f3d4-4a39-b595-d7982f60c1b1
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1221890
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-04-26 08:30:02 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
21 of 22 (95.45%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xyciahqfb5vrdmlxut7lzvw25s57u2eryd54fyctmoh7pqpxzwqa._file
Verdict:
malicious
Similar samples:
1a1ea82175be4c5cc7c593efffae39aa31cdd2a266307e2792bbc69327d1f424
Vidar
3fea8b40dcf2153cc3bc8c996eaeab45be25d83aa3441314a995e30d5f0735c9
Vidar
5e609fdb0a898c8fc4510e8f4508618fafb345d71528586b5c0f8eb6df547abe
Vidar
7982a78d5c530fdbc77f2104dad6eca002986b9c2776bd2180f63f28e0e43d7f
Vidar
8a78ffe722e5969b719fc10d4f5811a5c92bd57f8460c31d1537ca980bcf8d12
Vidar
abff2d51b8b0d82939ca9db471f5929b8c4b5ab8c83a420bea97207b785a59a8
Vidar
d8259dc862c48015701fa0d459375878b82e1fbc42aa68467ff46a491c5330da
Vidar
da33a0838ae2924b13580670768aee1bac27732d18ef61c29a8d0f8bcf4db11b
Vidar
db8e539bae814021719e3a8075f2dbbdec2a150d1ea3b23b12f22555326a16dc
Vidar
f9a178c79497c66ee786f78ca40984758c41fa779f9eddbebdd69cbb5240b90a
Vidar
+ 43 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:laplas family:vidar botnet:2234cb18bdcd93ea6f4e5f1473025a81 clipper discovery evasion persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/230427-aglxnacf57/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
GoLang User-Agent
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Laplas Clipper
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199497218285
https://t.me/tg_duckworld
http://89.23.97.128
Unpacked files
SH256 hash:
86b6471699740e009dd754d8094132adbcbab400b3c04d27f100e82df312bd12
MD5 hash:
f8a9a8d2d99d81315230ad03cde33cd2
SHA1 hash:
10c5d88a09581f7d57e87655665a6d2c565969dd
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/9c611617-6047-4fd0-a249-445acb9df7c3/
Parent samples :
d1006e8c4e1a70535c19a92bd80f3b5a7188e5089157725b0f37e0c5cac391fe
83e593364f1beb5811a8a29f95e5a3b674cf3eba6fd8bcf5a5231d9c668a8987
d927d33966be61de99eba33be4efb7b09ac5348e17caadf92dbcc094a8ad663f
1b50395ebaae62aa4ad19a514a0cda4b8f74aa915dfe0c0df49a3aee08c605b7
797575606aa8f510d7d84596fcc81180354f0b65ec50ed5864ad6c18d15f3086
3c1ebdf7ddc8c5332ff02def398851eecee1329326f851e9adc135a6a25e4e98
722e5c23eff7116dead7e70f52673519604efa15a2743939034cb2fccd1c4672
fc02a63e0ca8682216bd68c561a4923f9f1828a0fd5978160282f52b777ebc8f
37f90d14d9b6dbc7813b30dea8379637336a2e8219110dd0c479f2dc5d7a5fd5
7564e44c0b07a0f161c5a245ba8f2029ea70a297a5f9944c4c786a75f1e8524a
005dce2ddcdfce4418c7782afe3d59d6ee9cb8a3f0a9f303ebf92b60151aa55e
bdcc0932f31bf8478356b9d2df3e6613385dfcd6f1179a70300430d5759298d5
2c3399c0b13dde9c28a4bbcbd0c45a61238736d09123c838e1a8765194874c30
354a1d3180f92329cae26075d2a152561df4d9bb2b8254b50ac4b97c7ee89e06
442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696
d3564cf77d63b9b2ec8cf914958453f19e0d1032f4ea4665fe05b2284decfb0a
d63913dd7bb4c567c5e752149ebd9f90023a34f49b75a585e6f67c6834dc24a0
67770d3ab80bd1d5d9c2be66f5bb8084f61c15a3060f84cdba21852e9609eb64
54fe4ead4f5851ffdd4ee657632740a6095f362a34d593b04dbf0a2b339fc4c6
be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0
fa3dc6c4c0ce44fcaf84b68d5578976bd0f6c5ace4a4c57d6a9c39d2ca5eab47
9b18f5731f338a90ca3a226572e21c2c958c345d6adfa40f8b012a79f412dae5
aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128
1a945013489a88af369312fbce20f6701fb0df180e29113533d1cab036ce66a6
396ae4c1158897e71763b09fe32b147bba5414531a46c53b11ff8ccbd4589d6f
e6e4ba6207c487fbd207a88cd71d12203e8899daf72a6819131aa805fb0c4444
d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9
SH256 hash:
be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0
MD5 hash:
9fe0b462a779cff10d328e480332818b
SHA1 hash:
c31d10faa53773d17822ee0ad70acf0839bec3d1
Link:
https://www.unpac.me/results/9c611617-6047-4fd0-a249-445acb9df7c3/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be04801e050f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Telegram_Links
Create hunting rule
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_vidar_a_a901
Create hunting rule
Author:Johannes Bader
Description:detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2615191/
Cape
Cape
https://www.capesandbox.com/analysis/385129/

Comments