MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d
SHA3-384 hash: 5ee7171c55a5d2ec48a3066fe45cd17d6bbeb71fb4089283a01701577247263c19da9ebc7c0d2dd88b3d018fc729b016
SHA1 hash: 9d4ed8fb149d0dc4de28e41e66ac17b849b8fcbd
MD5 hash: a27435d71d3c86e923a81fd66d5118bf
humanhash: paris-romeo-fruit-hamper
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:3'057'160 bytes
First seen:2023-02-17 18:47:28 UTC
Last seen:2023-02-17 20:29:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 47 x PureHVNC, 28 x RedLineStealer)
ssdeep 49152:yUwJvVQThRGeWlW6Bj68c5xI5hH0sIacQXfJgiE5VmJsQQlObhPk0zzxcXG+ojxo:nwzQT7obB3hDJpEmJwU1PXzqXx
Threatray 2'499 similar samples on MalwareBazaar
TLSH T1DAE5E0ABEB000B17CE9543BAD9198B945721D05A6350F3A7A7BC82A83F5F3C54D1E4E2
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon fceae8f0f0e2e060 (1 x Vidar)
Reporter andretavare5
Tags:exe signed vidar

Code Signing Certificate

Organisation:HDD`WOW Toshiba SATA-III 12Tb HDWG460EZSTA N300 (7200rpm) 1568`Mb 1.5 Rtl
Issuer:HDD`WOW Toshiba SATA-III 12Tb HDWG460EZSTA N300 (7200rpm) 1568`Mb 1.5 Rtl
Algorithm:sha1WithRSAEncryption
Valid from:2023-02-16T17:39:55Z
Valid to:2033-02-17T17:39:55Z
Serial number: 1701f2ecbdc601b24b8fbbe631f75b99
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 59d4a20948fee2d525022241ca0f405f7cd461740df308547f438f8382f41c2e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc10773776_659667175?hash=Ir3n4hJnHKbyYepOPo67T0pklwfDvUiS2ajaZrAKrWH&dl=GEYDONZTG43TM:1676651997:2Cb07pB8TsjuX8Tjcn1lYJOZDlnrUGgtsJ3npISIMa8&api=1&no_preview=1#vid100

Intelligence

File Origin
# of uploads :
3
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-17 18:47:37 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/a46f96e8-a9eb-4c82-9330-db63ced4163e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/367783/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.16232.5004.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63efcbe3bc5c84d0ee7cd96a/reports/af65cb53-7db4-46ba-b783-1c8f7f9b735a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/caae9b9d-cac5-408c-aacb-a477e6b96277
Result
Threat name:
Raccoon Stealer v2, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178213
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer v2
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811039 Sample: file.exe Startdate: 17/02/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 11 other signatures 2->62 8 file.exe 3 2->8         started        process3 file4 34 C:\Users\user\AppData\Local\...\file.exe.log, CSV 8->34 dropped 64 Detected unpacking (changes PE section rights) 8->64 66 Query firmware table information (likely to detect VMs) 8->66 68 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->68 70 5 other signatures 8->70 12 AddInProcess32.exe 21 8->12         started        17 DataSvcUtil.exe 8->17         started        19 AddInUtil.exe 8->19         started        21 4 other processes 8->21 signatures5 process6 dnsIp7 50 t.me 149.154.167.99, 443, 49694 TELEGRAMRU United Kingdom 12->50 52 78.46.254.12, 49695, 80 HETZNER-ASDE Germany 12->52 54 bbc-s.news 172.67.222.163, 443, 49696 CLOUDFLARENETUS United States 12->54 44 C:\Users\user\AppData\Local\...\12333[1].exe, PE32 12->44 dropped 46 C:\ProgramData\29478256518962253570.exe, PE32 12->46 dropped 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->80 82 Tries to steal Mail credentials (via file / registry access) 12->82 84 Tries to harvest and steal browser information (history, passwords, etc) 12->84 86 2 other signatures 12->86 23 29478256518962253570.exe 48 12->23         started        28 cmd.exe 1 12->28         started        file8 signatures9 process10 dnsIp11 48 94.142.138.37, 49702, 80 IHOR-ASRU Russian Federation 23->48 36 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 23->36 dropped 38 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 23->38 dropped 40 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 23->40 dropped 42 4 other files (2 malicious) 23->42 dropped 72 Multi AV Scanner detection for dropped file 23->72 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->74 76 Machine Learning detection for dropped file 23->76 78 3 other signatures 23->78 30 conhost.exe 28->30         started        32 timeout.exe 1 28->32         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-17 18:48:40 UTC
File Type:
PE+ (Exe)
Extracted files:
6978
AV detection:
13 of 25 (52.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zigazju6zz4oruo4w6yqmsuno2uvuuaclmxkqlmqpxm6e62tfogq._file
Verdict:
unknown
Similar samples:
08f081b383a3e66e4e1caad317f7fe1880f9f9a260716a4e6c3e827aac38d3b3
Vidar
19a3afda425e8c5a7b12775c2b90a18eaadd211e78ee3469371195b4bacca4e6
Vidar
1c65c0a262a9372726369cd3ba23e23086c490c2d816123ff4973a725ff8f5c0
Vidar
32d3cdae010be4cb4bbff8ee5f714de9bd61f22d587490c1dec81d09c13dd137
Vidar
5a3939b015f210933a85716d810399ce3ab24d39f1de09edd358a0418343498c
Vidar
716b0374e1cc500e077f59d1ef2ac24b956495dd2554f2953ba539e71daae747
Vidar
8a6339b6e79033962ce34c39670d3c7cd45550fb23b64338fd3e816bb867b76f
Vidar
af86dd9ed4d6e78298ab4e29b0495a43cbb5bee2f457a158fe1e35c851afd178
Vidar
c8e418a9972b8750c050b6ff4a61172b44c20acc6fd6c21d5e948f98d3389268
Vidar
e41ae1b899245242df356489d4c883bd7b6477f82fe1df32371a4d2b471b370c
Vidar
+ 2'489 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:813 discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/230217-xfrg3sgg99/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Unpacked files
SH256 hash:
ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d
MD5 hash:
a27435d71d3c86e923a81fd66d5118bf
SHA1 hash:
9d4ed8fb149d0dc4de28e41e66ac17b849b8fcbd
Link:
https://www.unpac.me/results/34744fc5-002d-4876-b89d-ee12e3c26595/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca0c0ca69ece/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/367783/

Comments