MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4
SHA3-384 hash: 15990b1f965a61bef0c27528cca0eed8eb0b7b398ed063d4347f3e4d93f06a8af2ee1bd8bade00d6fdf67ca352bf4de4
SHA1 hash: 54b5b0020294dd9894300dab058846879ac4feca
MD5 hash: 94059c16f85fbb2ed9f875fc0567d2db
humanhash: bulldog-mockingbird-lithium-fanta
File name:SecuriteInfo.com.Win64.CrypterX-gen.5834.27621
Download: download sample
Signature Vidar
Create hunting rule
File size:918'016 bytes
First seen:2025-03-24 03:24:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d743740f06aa0a325bb5c948f63319ce (24 x LummaStealer, 3 x Vidar)
ssdeep 12288:kt2BxheJBtYqmlf4feLUqJ2kAGptEVnN3Dv13BsnMipoMex+p03HGUjfs+S+3NGz:3IaJbU8CDsMixexO/cGEPm
Threatray 17 similar samples on MalwareBazaar
TLSH T1A1151BBF31AB3549FE624C30AFECB660CB57287ACD6BD9F14592A0302D35092EC56917
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
405
Origin country :
FR FR
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e19802acb044ea849e79ff
Tags:
injection obfusc
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt lolbin microsoft_visual_cc msbuild packed packed packer_detected
Link:
https://www.filescan.io/uploads/67e0d0b2195c2ecf47efdaaa/reports/c5541ffc-1bb9-406c-a3b0-7ce63161dad4/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/45a0859c-c787-46ad-b603-ed1930d9aee0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1646501
Signature
Allocates memory in foreign processes
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646501 Sample: SecuriteInfo.com.Win64.Cryp... Startdate: 24/03/2025 Architecture: WINDOWS Score: 100 50 x.p.formaxprime.co.uk 2->50 52 t.me 2->52 54 3 other IPs or domains 2->54 84 Suricata IDS alerts for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 5 other signatures 2->90 9 SecuriteInfo.com.Win64.CrypterX-gen.5834.27621.exe 1 2->9         started        12 msedge.exe 617 2->12         started        signatures3 process4 dnsIp5 92 Writes to foreign memory regions 9->92 94 Allocates memory in foreign processes 9->94 96 Injects a PE file into a foreign processes 9->96 15 MSBuild.exe 29 9->15         started        19 conhost.exe 9->19         started        62 239.255.255.250 unknown Reserved 12->62 21 msedge.exe 12->21         started        23 msedge.exe 12->23         started        25 msedge.exe 12->25         started        27 msedge.exe 12->27         started        signatures6 process7 dnsIp8 64 x.p.formaxprime.co.uk 167.235.59.196, 443, 49713, 49714 ALBERTSONSUS United States 15->64 66 t.me 149.154.167.99, 443, 49712 TELEGRAMRU United Kingdom 15->66 68 127.0.0.1 unknown unknown 15->68 76 Attempt to bypass Chrome Application-Bound Encryption 15->76 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->78 80 Found many strings related to Crypto-Wallets (likely being stolen) 15->80 82 5 other signatures 15->82 29 msedge.exe 2 11 15->29         started        32 chrome.exe 15->32         started        35 cmd.exe 15->35         started        70 ax-0003.ax-msedge.net 150.171.28.12, 443, 49790 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->70 72 c-msn-pme.trafficmanager.net 20.110.205.119, 443, 49780, 49812 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->72 74 32 other IPs or domains 21->74 signatures9 process10 dnsIp11 98 Monitors registry run keys for changes 29->98 37 msedge.exe 29->37         started        48 192.168.2.5, 138, 443, 49407 unknown unknown 32->48 39 chrome.exe 32->39         started        42 chrome.exe 32->42         started        44 conhost.exe 35->44         started        46 timeout.exe 35->46         started        signatures12 process13 dnsIp14 56 plus.l.google.com 142.251.40.142, 443, 49744 GOOGLEUS United States 39->56 58 www.google.com 142.251.40.228, 443, 49731, 49732 GOOGLEUS United States 39->58 60 2 other IPs or domains 39->60
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4/
Threat name:
Win64.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-03-23 12:58:06 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zx2idnusfsgcpri3xtpmst3oyqnrx7uxog7p6irqncwqfikfqxka._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
1385425f7534e6b25d2d1e24afd285f6f1ef7e526af0f3b2d7dd4b192e0404d7
Vidar
1791b49625ea67a1035252f25b155627617e3c49053aa14012b6d194e60ccf5b
Vidar
2e0b126dd788c027ca69b01335d4a08da28987c3c4296a3523d947da3c12cdc2
Vidar
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397
Vidar
b28e8a5c04dbfcbf462014aedc83bafec26d0eedebefca620b740df26cb09700
Vidar
cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4
Vidar
error
Vidar
+ 7 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:a16f3435ba2c2ab0207ee04297cb1864 credential_access discovery spyware stealer
Link:
https://tria.ge/reports/250324-dypawsypx7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsecured Credentials: Credentials In Files
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/g_etcontent
https://steamcommunity.com/profiles/76561199832267488
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/7b867171-8963-407b-84ef-febd849e5ff0
Unpacked files
SH256 hash:
cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4
MD5 hash:
94059c16f85fbb2ed9f875fc0567d2db
SHA1 hash:
54b5b0020294dd9894300dab058846879ac4feca
Link:
https://www.unpac.me/results/99a8d6ef-0564-4004-a9a0-54fe6b8dd3fe/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cdf481b6922c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3487675/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments