MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d006278368f6815fd40a2aa47c455c46f87f616bfae93f714dc1fae67038f8b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d006278368f6815fd40a2aa47c455c46f87f616bfae93f714dc1fae67038f8b5
SHA3-384 hash: 141050acd8c56802e8448ca6ced51c43f3c01df18d61e38d8560fb24b73ff73ab68f3a7348331f77f7747430252679ad
SHA1 hash: 7ed1131a8853e9e953d149804dbd8d10622f5f47
MD5 hash: c5008d5b25a861948430ee2d2a279fc5
humanhash: delta-kitten-spaghetti-muppet
File name:QuickSearch.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:3'482'624 bytes
First seen:2023-04-24 00:45:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 55598916d3559b7ff87df57da236c990 (6 x Vidar)
ssdeep 49152:eoxEgvY/7fC6JR4dWpvb1LePNf336NCVTQPpm/TGaQMxWdr48JISLxh1R4CGvQ2/:xEUdWTeFf33o6QRsGAY3txh1RFt
Threatray 737 similar samples on MalwareBazaar
TLSH T107F523902D4AD81DE90E02735703052164F81FB41EFA898F9287FB5A9F461CF49BAD6F
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c0d0f2f6f636fc78 (1 x Vidar)
Reporter Chainskilabs
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
896
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QuickSearch.exe
Verdict:
Malicious activity
Analysis date:
2023-04-24 00:46:21 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/262f9f70-57c6-44cd-a5ca-f6feefcc8a6b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Kryptik.224.29234.4120.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed packed
Link:
https://www.filescan.io/uploads/6445d14a5ff821708a43fcc2/reports/95fe8294-33f2-41da-b401-32f61224b1f1/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/d006278368f6815fd40a2aa47c455c46f87f616bfae93f714dc1fae67038f8b5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kraken
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/271960b7-f30c-400f-85a7-2e2d9b6b28b4
Result
Threat name:
Laplas Clipper, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1219606
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses powercfg.exe to modify the power settings
Yara detected Laplas Clipper
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 852552 Sample: QuickSearch.exe Startdate: 24/04/2023 Architecture: WINDOWS Score: 100 64 xmr.2miners.com 2->64 66 pastebin.com 2->66 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 13 other signatures 2->80 9 QuickSearch.exe 27 2->9         started        14 cmd.exe 1 2->14         started        16 cmd.exe 1 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 68 t.me 149.154.167.99, 443, 49695 TELEGRAMRU United Kingdom 9->68 70 116.203.220.83, 11111, 49696 HETZNER-ASDE Germany 9->70 72 cdn.discordapp.com 162.159.135.233 CLOUDFLARENETUS United States 9->72 56 C:\Users\user\AppData\Local\...\x64[1].exe, PE32+ 9->56 dropped 58 C:\Users\user\AppData\Local\...\auto[1].exe, MS-DOS 9->58 dropped 60 C:\Users\user\AppData\...\Updater[1].exe, PE32+ 9->60 dropped 62 3 other malicious files 9->62 dropped 98 Detected unpacking (changes PE section rights) 9->98 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->100 102 Self deletion via cmd or bat file 9->102 112 3 other signatures 9->112 20 08062168518154057657.exe 2 9->20         started        24 63699630983335299369.exe 1 9->24         started        26 45133357378961122671.exe 9->26         started        28 cmd.exe 9->28         started        104 Uses powercfg.exe to modify the power settings 14->104 106 Modifies power options to not sleep / hibernate 14->106 30 conhost.exe 14->30         started        34 5 other processes 14->34 36 5 other processes 16->36 108 Creates files in the system32 config directory 18->108 110 Adds a directory exclusion to Windows Defender 18->110 32 conhost.exe 18->32         started        38 14 other processes 18->38 file6 signatures7 process8 file9 50 C:\Users\user\AppData\Roaming\...\ntlhost.exe, MS-DOS 20->50 dropped 82 Multi AV Scanner detection for dropped file 20->82 84 Detected unpacking (changes PE section rights) 20->84 86 Query firmware table information (likely to detect VMs) 20->86 96 4 other signatures 20->96 52 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 24->52 dropped 54 C:\Windows\System32\drivers\etc\hosts, ASCII 24->54 dropped 88 Modifies the hosts file 24->88 90 Adds a directory exclusion to Windows Defender 24->90 92 Antivirus detection for dropped file 26->92 94 Tries to harvest and steal browser information (history, passwords, etc) 26->94 40 cmd.exe 26->40         started        42 conhost.exe 28->42         started        44 timeout.exe 28->44         started        signatures10 process11 process12 46 conhost.exe 40->46         started        48 choice.exe 40->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d006278368f6815fd40a2aa47c455c46f87f616bfae93f714dc1fae67038f8b5/
Threat name:
Win32.Trojan.Cryware
Create hunting rule
Status:
Malicious
First seen:
2023-04-24 00:46:10 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2adcpa3i62av7vakfkshyrk4i34h6yll7lut64knyh5om4by7c2q._file
Verdict:
malicious
Similar samples:
57a42578cd476e0bd47ccb6cd8cd1812964e470e94e8f90722350ce56379c305
Vidar
733501d537884cca4a051c6669c594411f55c910a4b71a0d31e5c622641b841d
Vidar
7b3490f8e6e987badc243711d591544d535383d8cedd23421084f97bda84c17a
Vidar
83e593364f1beb5811a8a29f95e5a3b674cf3eba6fd8bcf5a5231d9c668a8987
Vidar
95f429b6b59cf4098b2ff0bf681a202e8c22987bdbdeead2a589346960f0997a
Vidar
b5b6c61866f1fa1ac5dfb9c2e93888ba463c56d39d535576f46eefac70a4e5d6
Vidar
bccd81dfc84e37c77d12fc1a145b6854962eee72ac1b73013473022562c04d27
Vidar
d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165
Vidar
e31e544efa2ec5206c6e96340a4d85282ac0dfce7f96134965c2f576a71d07d6
Vidar
+ 727 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
5f4b812c514ab48ef84fddbff7d1ab3f34dc14c5b43ba6e5c5dbee4dc8dd7d69
MD5 hash:
db9dedb4ed1feffaa7eff6acda4e3faf
SHA1 hash:
b7451afe273395ca4674ac601839d1c8d3f933d5
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/97e40097-c112-4efb-89b9-c6c4aed0330c/
SH256 hash:
d006278368f6815fd40a2aa47c455c46f87f616bfae93f714dc1fae67038f8b5
MD5 hash:
c5008d5b25a861948430ee2d2a279fc5
SHA1 hash:
7ed1131a8853e9e953d149804dbd8d10622f5f47
Link:
https://www.unpac.me/results/97e40097-c112-4efb-89b9-c6c4aed0330c/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d006278368f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d006278368f6815fd40a2aa47c455c46f87f616bfae93f714dc1fae67038f8b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Telegram_Links
Create hunting rule
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:win_vidar_a_a901
Create hunting rule
Author:Johannes Bader
Description:detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe d006278368f6815fd40a2aa47c455c46f87f616bfae93f714dc1fae67038f8b5

(this sample)

  
Delivery method
Distributed via web download

Comments