MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce413076bd4212fe671fe3cd3da55f426bc4a8a198630f3f1a8aa51b973af62b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce413076bd4212fe671fe3cd3da55f426bc4a8a198630f3f1a8aa51b973af62b
SHA3-384 hash: b5efc2e77d2bf4b06e73a9d5265d032df8e232a37a4632a9f437aeb6112967375af64adc7c0e88860c0068c575b5f77c
SHA1 hash: 0bf1829477a1f146177ca52e04d973056a43dccc
MD5 hash: 35e56be94682a26ae1716b5a9a90e864
humanhash: ten-stairway-july-hot
File name:lawlead.hta
Download: download sample
Signature Vidar
Create hunting rule
File size:107'081 bytes
First seen:2025-06-03 06:41:28 UTC
Last seen:2025-06-11 10:13:57 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 1536:D+fYsBsIDjBL2ykEfUbl+d32aFd3ZaDVJwGsyIBI9qhb05Cede0yO:D+fYsvSESkme0V
TLSH T137A3FF876EE5F40721CF1F636F1B65F6F52E47E5359028079238BAC96864A02F2B0DB4
Magika txt
Reporter abuse_ch
Tags:195-82-147-93 hta vidar

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.JS.Obfus-2179.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.JS.Obfus-2525.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683e99c58bd5d68a12e4405b
Tags:
dropper trojan sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/ce413076bd4212fe671fe3cd3da55f426bc4a8a198630f3f1a8aa51b973af62b/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/ce413076bd4212fe671fe3cd3da55f426bc4a8a198630f3f1a8aa51b973af62b
Result
Threat name:
Cobalt Strike, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1704607
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Benign windows process drops PE files
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Detected Cobalt Strike Beacon
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Parents
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download files via bitsadmin
Tries to harvest and steal browser information (history, passwords, etc)
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Powershell decode and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1704607 Sample: lawlead.hta Startdate: 03/06/2025 Architecture: WINDOWS Score: 100 130 ms-team-connect.com 2->130 132 xx.7.4t.com 2->132 134 3 other IPs or domains 2->134 168 Suricata IDS alerts for network traffic 2->168 170 Malicious sample detected (through community Yara rule) 2->170 172 Yara detected Powershell decode and execute 2->172 174 10 other signatures 2->174 13 mshta.exe 1 2->13         started        17 svchost.exe 1 4 2->17         started        20 mshta.exe 16 2->20         started        22 mshta.exe 2->22         started        signatures3 process4 dnsIp5 144 ms-team-connect.com 104.21.112.1, 443, 49698, 49701 CLOUDFLARENETUS United States 13->144 190 Tries to download files via bitsadmin 13->190 192 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->192 24 focusprospect.exe 1 6 13->24         started        27 bitsadmin.exe 1 13->27         started        29 bitsadmin.exe 1 13->29         started        31 bitsadmin.exe 1 13->31         started        146 195.82.147.93, 49708, 49709, 80 DREAMTORRENT-CORP-ASRU Russian Federation 17->146 148 127.0.0.1 unknown unknown 17->148 96 C:\Users\user\...\ittechnical.exe (copy), PE32+ 17->96 dropped 98 C:\Users\user\...\focusprospect.exe (copy), PE32+ 17->98 dropped 100 C:\Users\user\AppData\Local\...\BITEFC2.tmp, PE32+ 17->100 dropped 102 C:\Users\user\AppData\Local\...\BITEFC1.tmp, PE32+ 17->102 dropped 194 Benign windows process drops PE files 17->194 file6 signatures7 process8 file9 108 C:\Users\user\AppData\...\nextspecialist.exe, PE32+ 24->108 dropped 110 C:\Users\user\AppData\Local\Temp\...\jli.dll, PE32+ 24->110 dropped 112 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 24->112 dropped 33 nextspecialist.exe 24->33         started        36 conhost.exe 27->36         started        38 conhost.exe 29->38         started        40 conhost.exe 31->40         started        process10 signatures11 162 Writes to foreign memory regions 33->162 164 Allocates memory in foreign processes 33->164 166 Injects a PE file into a foreign processes 33->166 42 AddInProcess32.exe 33->42         started        45 conhost.exe 33->45         started        process12 signatures13 182 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->182 184 Writes to foreign memory regions 42->184 186 Injects a PE file into a foreign processes 42->186 188 Uses threadpools to delay analysis 42->188 47 AppLaunch.exe 42->47         started        process14 dnsIp15 150 116.203.12.35, 443, 49719, 49720 HETZNER-ASDE Germany 47->150 152 t.me 149.154.167.99, 443, 49715 TELEGRAMRU United Kingdom 47->152 154 2 other IPs or domains 47->154 156 Detected Cobalt Strike Beacon 47->156 158 Encrypted powershell cmdline option found 47->158 160 Tries to harvest and steal browser information (history, passwords, etc) 47->160 51 powershell.exe 47->51         started        55 chrome.exe 47->55         started        58 powershell.exe 47->58         started        60 19 other processes 47->60 signatures16 process17 dnsIp18 104 C:\Users\user\AppData\...\yk4xzsfl.cmdline, Unicode 51->104 dropped 176 Writes to foreign memory regions 51->176 178 Compiles code for process injection (via .Net compiler) 51->178 180 Creates a thread in another existing process (thread injection) 51->180 62 csc.exe 51->62         started        65 conhost.exe 51->65         started        142 192.168.2.11, 138, 443, 49474 unknown unknown 55->142 67 chrome.exe 55->67         started        106 C:\Users\user\AppData\Local\...\ftde10sb.0.cs, Unicode 58->106 dropped 70 conhost.exe 58->70         started        72 csc.exe 60->72         started        74 csc.exe 60->74         started        76 csc.exe 60->76         started        78 15 other processes 60->78 file19 signatures20 process21 dnsIp22 114 C:\Users\user\AppData\Local\...\yk4xzsfl.dll, PE32 62->114 dropped 80 cvtres.exe 62->80         started        136 apis.google.com 67->136 138 plus.l.google.com 142.250.114.139, 443, 49742 GOOGLEUS United States 67->138 140 3 other IPs or domains 67->140 116 C:\Users\user\AppData\Local\...\nt2vavvx.dll, PE32 72->116 dropped 82 cvtres.exe 72->82         started        118 C:\Users\user\AppData\Local\...\2dvvd1et.dll, PE32 74->118 dropped 84 cvtres.exe 74->84         started        120 C:\Users\user\AppData\Local\...\urd5bnva.dll, PE32 76->120 dropped 86 cvtres.exe 76->86         started        122 C:\Users\user\AppData\Local\...\rwalfcyp.dll, PE32 78->122 dropped 124 C:\Users\user\AppData\Local\...\pv2yomuf.dll, PE32 78->124 dropped 126 C:\Users\user\AppData\Local\...\jvh214h3.dll, PE32 78->126 dropped 128 3 other files (none is malicious) 78->128 dropped 88 cvtres.exe 78->88         started        90 cvtres.exe 78->90         started        92 cvtres.exe 78->92         started        94 2 other processes 78->94 file23 process24
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ce413076bd4212fe671fe3cd3da55f426bc4a8a198630f3f1a8aa51b973af62b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce413076bd4212fe671fe3cd3da55f426bc4a8a198630f3f1a8aa51b973af62b/
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-03 06:42:21 UTC
File Type:
Text (HTML)
Extracted files:
2
AV detection:
6 of 37 (16.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzata5v5iijp4zy74pgt3jk7ijv4jkfbtbrq6py2rksrxfz26yvq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250603-hggxpsbl3t/
Behaviour
Program crash
System Location Discovery: System Language Discovery
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce413076bd42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce413076bd4212fe671fe3cd3da55f426bc4a8a198630f3f1a8aa51b973af62b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_obfuscated_JS_obfuscatorio
Create hunting rule
Author:@imp0rtp3
Description:Detect JS obfuscation done by the js obfuscator (often malicious)
Reference:https://obfuscator.io

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

HTML Application (hta) hta ce413076bd4212fe671fe3cd3da55f426bc4a8a198630f3f1a8aa51b973af62b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3556647/
  
Delivery method
Distributed via web download

Comments