MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
SHA3-384 hash: 8679be273fec2e9ebe8110edc47cd40a7e6b17b346ae743bf4e8783a558567515c2d42a186f406584d907ffcaa45a893
SHA1 hash: bb8de537a9502abcc9b2ea48d9705ff95f44b73a
MD5 hash: 1923715e6214c54be40797c3d821fbfc
humanhash: cat-lima-football-fanta
File name:1923715E6214C54BE40797C3D821FBFC.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:3'974'278 bytes
First seen:2021-09-02 00:10:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yht/20k51M8Ubz0aDAbCZ11x3vhNrG+mqh4IIQ:yhA0k5Ohz0ZWZPxf7Eqn
Threatray 95 similar samples on MalwareBazaar
TLSH T1AF06339BA61AE88FF6D54B32725071D31CACC0702169F0D347E0679C784AD6AB0D77EA
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.144/ https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1923715E6214C54BE40797C3D821FBFC.exe
Verdict:
No threats detected
Analysis date:
2021-09-02 00:12:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3598838e-b115-41d3-922a-d118dd8e08c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184602/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
DNS request
Creating a process from a recently created file
Creating a file
Searching for the window
Deleting a recently created file
Running batch commands
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Sending a UDP request
Creating a window
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a process with a hidden window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d15547d6-a51c-4da2-984e-1c6a51af64e3
Result
Threat name:
Cookie Stealer RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843705
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476136 Sample: gH9lV6lXvc.exe Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 98 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->98 100 34.97.69.225 GOOGLEUS United States 2->100 102 162.159.134.233 CLOUDFLARENETUS United States 2->102 120 Antivirus detection for URL or domain 2->120 122 Antivirus detection for dropped file 2->122 124 Multi AV Scanner detection for dropped file 2->124 126 15 other signatures 2->126 13 gH9lV6lXvc.exe 10 2->13         started        signatures3 process4 file5 96 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 13->96 dropped 16 setup.exe 8 13->16         started        process6 file7 60 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 16->60 dropped 62 C:\Users\user\AppData\...\setup_install.exe, PE32 16->62 dropped 64 C:\Users\user\AppData\Local\...\libzip.dll, PE32 16->64 dropped 66 3 other files (none is malicious) 16->66 dropped 19 setup_install.exe 3 16->19         started        process8 file9 68 C:\Users\user\...\83904ea3382de84ea.exe, PE32 19->68 dropped 22 cmd.exe 1 19->22         started        25 conhost.exe 19->25         started        process10 signatures11 128 Adds a directory exclusion to Windows Defender 22->128 27 83904ea3382de84ea.exe 16 22->27         started        process12 file13 70 C:\Users\user\AppData\...\setup_install.exe, PE32 27->70 dropped 72 C:\Users\user\AppData\...\Sun21dd3b887a3.exe, PE32 27->72 dropped 74 C:\Users\user\AppData\...\Sun21cfc7686a.exe, PE32 27->74 dropped 76 11 other files (6 malicious) 27->76 dropped 30 setup_install.exe 1 27->30         started        process14 dnsIp15 118 127.0.0.1 unknown unknown 30->118 158 Adds a directory exclusion to Windows Defender 30->158 34 cmd.exe 30->34         started        36 cmd.exe 1 30->36         started        38 cmd.exe 1 30->38         started        40 7 other processes 30->40 signatures16 process17 signatures18 43 Sun21dd3b887a3.exe 34->43         started        48 Sun21cfc7686a.exe 36->48         started        50 Sun21caad43cbccfb.exe 1 38->50         started        130 Adds a directory exclusion to Windows Defender 40->130 52 Sun21ab69e87d0.exe 40->52         started        54 Sun211972de1e.exe 3 40->54         started        56 Sun21688b2b2b63.exe 40->56         started        58 2 other processes 40->58 process19 dnsIp20 104 37.0.10.214 WKD-ASIE Netherlands 43->104 106 37.0.10.237 WKD-ASIE Netherlands 43->106 110 9 other IPs or domains 43->110 78 C:\Users\...\y_BbfnanZTksVe_eAKihqR59.exe, PE32 43->78 dropped 80 C:\Users\...\yNCDPLu5QqLWqNG9HtRsFjLC.exe, PE32 43->80 dropped 82 C:\Users\...\yJiHdcc9Vnwz7y21fX4farX5.exe, PE32 43->82 dropped 92 47 other files (45 malicious) 43->92 dropped 132 Drops PE files to the document folder of the user 43->132 134 Creates HTML files with .exe extension (expired dropper behavior) 43->134 136 Tries to harvest and steal browser information (history, passwords, etc) 43->136 138 Disable Windows Defender real time protection (registry) 43->138 140 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 48->140 142 Maps a DLL or memory area into another process 48->142 144 Checks if the current machine is a virtual machine (disk enumeration) 48->144 146 Creates a thread in another existing process (thread injection) 48->146 112 2 other IPs or domains 50->112 148 Contains functionality to steal Chrome passwords or cookies 50->148 114 2 other IPs or domains 52->114 84 C:\Users\user\AppData\Roaming\8452968.exe, PE32 52->84 dropped 86 C:\Users\user\AppData\Roaming\7544811.exe, PE32 52->86 dropped 94 2 other files (none is malicious) 52->94 dropped 150 Detected unpacking (changes PE section rights) 52->150 116 2 other IPs or domains 54->116 88 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 54->88 dropped 152 Creates processes via WMI 54->152 108 74.114.154.22 AUTOMATTICUS Canada 56->108 154 Machine Learning detection for dropped file 56->154 90 C:\Users\user\AppData\...\Sun218856081dd1.tmp, PE32 58->90 dropped 156 Antivirus detection for dropped file 58->156 file21 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 08:54:29 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lmq6awm27b72g2g2ztqqfjjugxyc4xeuup63jdbzdjfaca4gvea._file
Verdict:
malicious
Similar samples:
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
Adware.FileTour
1cf6570844a3a440ad731d0c72ed9bd8369f2cfb44243a952942f91097767776
Adware.FileTour
4f71b2a4b8c2b49695b57ac172f6fc30e7f7816439c716d5f7b45ca7dcf0a182
Adware.FileTour
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
Adware.FileTour
59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30
Adware.FileTour
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
Adware.FileTour
ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77
Adware.FileTour
bda2b27d917dc919d2df7f2768a5d20f4f554e6f0eeb687f5ac45b53aecbb2f3
Adware.FileTour
f7a805b251505433e34517da69eccb73955a424bb9d9061309091cf52c07a349
Adware.FileTour
+ 85 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:vidar family:xmrig botnet:706 aspackv2 backdoor discovery miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/210902-7qtwzsntkj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
XMRig Miner Payload
Process spawned unexpected child process
SmokeLoader
Vidar
xmrig
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
16fe676f338597ae7eb18cb0b514a5112e1647350b8415ab1a5acc2e49bcfb51
MD5 hash:
81f4be10fd5f6c757d7b4a0edba497c2
SHA1 hash:
d9cf8601bb46ce25660b5b0be7e42f1c3b3d9eae
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
1b9d29f4887cb5ec2f7980f3b51fccf0eb699bf81361b31342e9a895cc362c8d
MD5 hash:
abea1f518f0b3957a1755eae02698ca3
SHA1 hash:
b3130e09832595c47cfb06a883388fabdd5bc488
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
adaebc4e58571c1f9ed4d7f2dd69045c4e7f1b7781dee2e97d5090e4ba7630e4
MD5 hash:
bc972d6cf21476d7396095f1452e359a
SHA1 hash:
97286c9348dcd80e99b686b1bfaf00b32e2ef28d
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
3e9fbd899c570ef27f7af37a63aae9b2d1b3a5e6717e571b9e8ed6efcf63778b
MD5 hash:
56d5c8e1d4431050061e2d1b8a9a22b0
SHA1 hash:
3d071f57add429765045b7aa61715086ac061ddd
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
aff5052dcaceac8cc0d97983c19091be8f1d2fa3b2ea4f649adf0c16855bc8b8
MD5 hash:
b32e81cfce4fb1d3a87156891c95e35c
SHA1 hash:
9a1b6b18d71016d4b7ebe5abbfaaa204d51ece86
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
a1a1f636b65bd84247c87965980f3adc0fa1316506a56bb6ea1042de0c9526c6
MD5 hash:
638e8b3e6640a0885cd8a1fe8ff70065
SHA1 hash:
56e819d5ff1b424f1c8d39d82d699f5567bcfac9
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
f685aef2ddfd2eeb04b4873c0c151c2c637ef062d555b5b26075a9a9eea6d3e2
MD5 hash:
2104b319e36c13db83ca6f29d8fcce36
SHA1 hash:
c036341392dac602265baeaa3bd985d1e48ac6a8
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
e25456bd6f307c02f6796333fd06070c43af3e6a1b21fa5bf44a16135578c7f8
MD5 hash:
f8e520117dea6c03353c8500195fc83e
SHA1 hash:
d96db8e297a41437ab7453e6285fd361d23694f0
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
c12ca8a9c29faccf92d8f579aa1dde3f4cd0e51e88ba36e510aa2bdff30d364f
MD5 hash:
c0583e01fa34ca6f068c3e83126f32d4
SHA1 hash:
84511598ca96e1be00c1dbfa36b35abbbf262941
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
119098fa80110811c47a3c9b6f8306b6839dbb2efe310bd8ffde0085faad3c31
MD5 hash:
7f25b2273aca782b7c0d4ebbb3bacde6
SHA1 hash:
e83a5e91494e263490f4a8bf7f10ab242e99a8bc
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
a680505d791fe287517246c9caf2399f1e5c970b7d63daf03dad4f3432f07ff3
MD5 hash:
68d1b5e1980c81d60c5a6e6154120fbb
SHA1 hash:
2e756a2e5a7906262629951ee3ca50fe8543cf8b
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
SH256 hash:
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
MD5 hash:
1923715e6214c54be40797c3d821fbfc
SHA1 hash:
bb8de537a9502abcc9b2ea48d9705ff95f44b73a
Link:
https://www.unpac.me/results/057ad69c-f562-40bf-9599-954b13df5a7c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d2d90f02ccd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184602/

Comments