MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8e45719240f875784086abcc66cdbf68a102c1d3d5edabb0c7da44516621e51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	c8e45719240f875784086abcc66cdbf68a102c1d3d5edabb0c7da44516621e51
SHA3-384 hash:	67ace54548a41c612184ae1fa1c41abf39a4cbb4b15286e3753b0acf6ed9b41e0fb9c61b1c43cef1a35ee248d1bc9dfe
SHA1 hash:	7e8838d573b193beedfa12ff74e1e4933944587a
MD5 hash:	61e6735126b6504424d090ac796f8a49
humanhash:	network-texas-oven-papa
File name:	bank_statement.scr
Download:	download sample
Signature	Vidar Create hunting rule
File size:	38'811'256 bytes
First seen:	2023-06-06 17:05:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	22a71214a0c9214caa6b4dfa0b409cb5 (1 x RaccoonStealer, 1 x Vidar)
ssdeep	393216:NS3GX6iThaMcP5L56QHbe/klf3FWpis6n93CnVspY9rw20amy/dtzEvQ4iD6t+t2:a3iTkFVBn9Tpkw3dUzMri2ty7I9
Threatray	270 similar samples on MalwareBazaar
TLSH	T17F87239366C063E8C3C34518628F529F51C1987AC5FD9E1D6EC36C032E21EA76A4EE77
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter	Anonymous
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

352

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

bank_statement.scr

Verdict:

Malicious activity

Analysis date:

2023-06-06 17:06:26 UTC

Tags:

stealer vidar trojan arkei

Link:

https://app.any.run/tasks/dd62bf4c-78e1-486f-bafd-c1c515d75fb3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Sending an HTTP GET request

DNS request

Creating a file

Creating a window

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug crypto greyware lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/647f6830adff641d66ab0c95/reports/9ca7b075-73e4-4681-b8fb-d2f9a90e1bbf/overview

Verdict:

Malicious

Labled as:

Win64/Agent_AGeneric.AFR trojan

Link:

https://www.hybrid-analysis.com/sample/c8e45719240f875784086abcc66cdbf68a102c1d3d5edabb0c7da44516621e51

Result

Verdict:

MALICIOUS

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1249754

Signature

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for domain / URL

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Query firmware table information (likely to detect VMs)

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-06-06 17:06:10 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zdsfogjeb6dvpbaink6mm3g362fbala5hvpnvoympwsekftcdziq._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:655d9e590e95375f4ab0b3055662ab2e spyware stealer

Link:

https://tria.ge/reports/230606-vmd48afc6x/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Checks computer location settings

Loads dropped DLL

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199511129510
https://t.me/rechnungsbetrag

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c8e45719240f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c8e45719240f875784086abcc66cdbf68a102c1d3d5edabb0c7da44516621e51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe c8e45719240f875784086abcc66cdbf68a102c1d3d5edabb0c7da44516621e51

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample