MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb7bde9bc49e37dd659764896f704e1b12821b107cd9d45483c7fa9f99990ba5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb7bde9bc49e37dd659764896f704e1b12821b107cd9d45483c7fa9f99990ba5
SHA3-384 hash: 919dca0aba288b9d90410513bbb75bc8cb83cd5cc79096be524ec542d2164a4df3426ce5180bae3711eebd6e49dc96ec
SHA1 hash: 7d048dcb968c38244a381474a484d02c6da95088
MD5 hash: d43cb6886e87df033e42097669e4399b
humanhash: finch-golf-sad-mobile
File name:cb7bde9bc49e37dd659764896f704e1b12821b107cd9d45483c7fa9f99990ba5.ps1
Download: download sample
Signature Vidar
Create hunting rule
File size:3'284 bytes
First seen:2025-04-11 04:52:30 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 96:IwReTPfPBPZPtsPkJPxP4P/P2PFBR/FWVmm8pWfQ:IwReTPfPBPZPtsPkJPxP4P/P2PFBR/sY
TLSH T1C06146067678E32811C953750E4CE8A4833A062F9135AD64F3CCDA546F521EA9FBE754
Magika powershell
Reporter Anonymous
Tags:dropper ps1 stealer vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.8356.27104.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f8a22c1dba888a93d019f7
Tags:
ransomware dropper virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper packed persistence
Link:
https://www.filescan.io/uploads/67f8a03440adfb5162bf7135/reports/98b7ee42-e308-4d42-a745-b1b3b989bd53/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cb7bde9bc49e37dd659764896f704e1b12821b107cd9d45483c7fa9f99990ba5
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1662796
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1662796 Sample: g8P4C3jHSJ.ps1 Startdate: 11/04/2025 Architecture: WINDOWS Score: 100 82 ravenfootballclub.com 2->82 84 qu.ap.4t.com 2->84 86 8 other IPs or domains 2->86 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 8 other signatures 2->120 10 powershell.exe 16 36 2->10         started        15 powershell.exe 2->15         started        17 powershell.exe 2->17         started        19 msedge.exe 65 612 2->19         started        signatures3 process4 dnsIp5 102 ravenfootballclub.com 104.219.248.46, 443, 49692, 49831 NAMECHEAP-NETUS United States 10->102 104 installsh.pages.dev 172.66.44.75, 443, 49830 CLOUDFLARENETUS United States 10->104 74 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 10->74 dropped 76 C:\Users\user\AppData\...\WindowsUpdate.ps1, ASCII 10->76 dropped 140 Found many strings related to Crypto-Wallets (likely being stolen) 10->140 142 Creates autostart registry keys with suspicious values (likely registry only malware) 10->142 144 Found suspicious powershell code related to unpacking or dynamic code loading 10->144 21 updater.exe 10->21         started        24 conhost.exe 10->24         started        78 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 15->78 dropped 146 Loading BitLocker PowerShell Module 15->146 148 Powershell drops PE file 15->148 26 updater.exe 15->26         started        28 conhost.exe 15->28         started        80 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 17->80 dropped 30 updater.exe 17->30         started        32 conhost.exe 17->32         started        106 239.255.255.250 unknown Reserved 19->106 150 Suspicious powershell command line found 19->150 34 msedge.exe 19->34         started        37 msedge.exe 19->37         started        39 2 other processes 19->39 file6 signatures7 process8 dnsIp9 122 Multi AV Scanner detection for dropped file 21->122 124 Writes to foreign memory regions 21->124 126 Allocates memory in foreign processes 21->126 41 MSBuild.exe 29 21->41         started        128 Injects a PE file into a foreign processes 26->128 45 MSBuild.exe 26->45         started        88 13.89.179.8, 443, 49787, 49807 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->88 90 131.253.33.203, 443, 49805, 49806 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->90 92 28 other IPs or domains 34->92 signatures10 process11 dnsIp12 96 qu.ap.4t.com 78.47.105.59, 443, 49694, 49695 HETZNER-ASDE Germany 41->96 98 t.me 149.154.167.99, 443, 49693, 49833 TELEGRAMRU United Kingdom 41->98 100 127.0.0.1 unknown unknown 41->100 130 Attempt to bypass Chrome Application-Bound Encryption 41->130 132 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->132 134 Found many strings related to Crypto-Wallets (likely being stolen) 41->134 138 4 other signatures 41->138 47 msedge.exe 2 11 41->47         started        50 chrome.exe 41->50         started        53 cmd.exe 41->53         started        136 Tries to harvest and steal browser information (history, passwords, etc) 45->136 55 chrome.exe 45->55         started        57 chrome.exe 45->57         started        signatures13 process14 dnsIp15 152 Monitors registry run keys for changes 47->152 59 msedge.exe 47->59         started        94 192.168.2.5, 138, 443, 49470 unknown unknown 50->94 61 chrome.exe 50->61         started        64 chrome.exe 50->64         started        66 conhost.exe 53->66         started        68 timeout.exe 53->68         started        70 chrome.exe 55->70         started        72 chrome.exe 55->72         started        signatures16 process17 dnsIp18 108 ogads-pa.clients6.google.com 142.250.64.106, 443, 49723, 49725 GOOGLEUS United States 61->108 110 play.google.com 142.251.32.110, 443, 49727, 49862 GOOGLEUS United States 61->110 112 3 other IPs or domains 61->112
Score:
55%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/cb7bde9bc49e37dd659764896f704e1b12821b107cd9d45483c7fa9f99990ba5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb7bde9bc49e37dd659764896f704e1b12821b107cd9d45483c7fa9f99990ba5/
Threat name:
Script-PowerShell.Trojan.Powdow
Create hunting rule
Status:
Malicious
First seen:
2025-04-11 04:53:10 UTC
File Type:
Text (PowerShell)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zn555g6ety352zmxmsew64codmjiegyqptm5ivedy75j7gmzbosq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:4f1150b046a37dfa43f98bdd082b0edf credential_access defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250411-fh1p4azvdt/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Hide Artifacts: Hidden Window
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/f07nd
https://steamcommunity.com/profiles/76561199843252735
Dropper Extraction:
https://ravenfootballclub.com/wp-content/crypted.exe
https://installsh.pages.dev/config.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
vidar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb7bde9bc49e37dd659764896f704e1b12821b107cd9d45483c7fa9f99990ba5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Vidar

PowerShell (PS) ps1 cb7bde9bc49e37dd659764896f704e1b12821b107cd9d45483c7fa9f99990ba5

(this sample)

Vidar

Executable exe 678f39d37a3785a27e913605aa6894485ae938d4b6196fdacbb98a76c9b4f159

anyrun
any.run
https://app.any.run/tasks/61622df0-b4ab-4978-b102-6d54b4dca305
  
Dropping
SHA256 678f39d37a3785a27e913605aa6894485ae938d4b6196fdacbb98a76c9b4f159
  
Delivery method
Other
  
Dropping
MD5 d743f7dee23896fb6b4f6177217fa9e4

Comments