MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbab2f6767f4b80287642e550cd8aaed4ca8bc58cc8dcd48c3ef6d3a65975a94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments 1

SHA256 hash:	cbab2f6767f4b80287642e550cd8aaed4ca8bc58cc8dcd48c3ef6d3a65975a94
SHA3-384 hash:	e11185a7a9d3e2f9ba2e7480fe59d898f4bd4290fe0d1a0f923be52e35e3596bdfd692f7e9545a519bc404be002fca45
SHA1 hash:	81c799ba09bd544294bdf874d8e7503a770e81b2
MD5 hash:	ae1bdc0bc450dd2add023f8ad71f9db1
humanhash:	alabama-asparagus-shade-five
File name:	ae1bdc0bc450dd2add023f8ad71f9db1
Download:	download sample
Signature	Vidar Create hunting rule
File size:	297'984 bytes
First seen:	2024-01-15 06:20:52 UTC
Last seen:	2024-01-15 08:22:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bcf77c2c3cd3748f83f9c44cda23fdb3 (3 x Vidar)
ssdeep	6144:giKNqzy8JFjVSZSJOyBiCmL5QZPNKNSQ7+STtqR9YjoD6vizk13Kb:gi+q9I92Q1Tt3hvOb
TLSH	T185547C1091108031F3341573D55DA6ADC99F9AB22371F4CB6BA6287DDE259C2E339F2B
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

398

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/470871/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.6928.30103.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm stealer

Link:

https://www.filescan.io/uploads/65a4cecf59502c0e7b372d95/reports/0e39f637-8ba1-42a7-b577-cc18451e81dc/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/cbab2f6767f4b80287642e550cd8aaed4ca8bc58cc8dcd48c3ef6d3a65975a94

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a37c1f64-e45a-4f66-896f-7bf06ccd19c3

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1374609

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM3

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cbab2f6767f4b80287642e550cd8aaed4ca8bc58cc8dcd48c3ef6d3a65975a94

Detection:

vidar

Link:

https://mwdb.cert.pl/sample/cbab2f6767f4b80287642e550cd8aaed4ca8bc58cc8dcd48c3ef6d3a65975a94/

Threat name:

Win32.Spyware.Vidar

Status:

Suspicious

First seen:

2024-01-11 09:49:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zovs6z3h6s4afb3efzkqzwfk5vgkrpcyzsg42sgd55wtuzmxlkka._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar stealer

Link:

https://tria.ge/reports/240115-g4bhrsbhc4/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

cbab2f6767f4b80287642e550cd8aaed4ca8bc58cc8dcd48c3ef6d3a65975a94

MD5 hash:

ae1bdc0bc450dd2add023f8ad71f9db1

SHA1 hash:

81c799ba09bd544294bdf874d8e7503a770e81b2

Detections:

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Link:

https://www.unpac.me/results/1c66078c-7270-4363-a97c-3b833f8fa7b1/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cbab2f6767f4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cbab2f6767f4b80287642e550cd8aaed4ca8bc58cc8dcd48c3ef6d3a65975a94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Dlls Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion