MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d50054c0868e4a89b232c9741e1cb699bbf6edd4021127257f50c8b7b5fc1bcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 11

Intelligence 11 IOCs YARA 12 File information Comments

SHA256 hash:	d50054c0868e4a89b232c9741e1cb699bbf6edd4021127257f50c8b7b5fc1bcc
SHA3-384 hash:	8b6a18d64acd751532c0d38dd07c8b7117677be2ef9db0153c94045f4af8e7638695a7628641bd2df614239cdffca04b
SHA1 hash:	536bdccd1bbe6e002f70b207dc8b80daf7a91ca7
MD5 hash:	e9c0a301881afbb741815a13cc5cda9e
humanhash:	mike-bacon-ink-solar
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	2'664'632 bytes
First seen:	2023-07-24 15:01:33 UTC
Last seen:	2025-01-23 17:35:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	49152:4ImtP7SYFL/kWmzfXXtraU9msh8LSD4JkONlIuAgyN30HV7uCulhT5/NHf:4IwP7vbmzPXtp3MfvHB5uCcV/
TLSH	T193C533A3A205C14DC0D6FFB60B77D761C33CFDA62C549A60EE8D9287603A9163E0E1D6
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	f4c4dcecccccc4f4 (1 x Vidar)
Reporter	andretavare5
Tags:	exe signed vidar

Code Signing Certificate

Organisation:	Logitech ZC-9015 USA State of Washington
Issuer:	Logitech ZC-9015 USA State of Washington
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-12-24T20:59:06Z
Valid to:	2032-12-25T20:59:06Z
Serial number:	3fdc7a3e7e965eb64e3a1acec732b0e3
Intelligence:	16 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	68956e7cc6836a711e93e83340b6fc3b6cf0ca876e7af6dd1c7d5d14725bca00
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://vk.com/doc801981293_666928889?hash=DGznlZWqWXpDE8sKjcpxiqhZJtroYmYaSrXZAq0fv7c&dl=UrNNa5AZJjTePxYYUt2gB9auV6CqS0H5y6SnqqUrIUo&api=1&no_preview=1#vdr

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/431144/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.25312.8748.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Launching a process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d50054c0868e4a89b232c9741e1cb699bbf6edd4021127257f50c8b7b5fc1bcc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/71bd30a1-db39-4140-a93f-4678f2c9626e

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1278409

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Searches for specific processes (likely to inject)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d50054c0868e4a89b232c9741e1cb699bbf6edd4021127257f50c8b7b5fc1bcc/

Threat name:

Win32.Spyware.Vidar

Status:

Suspicious

First seen:

2023-07-24 15:02:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2uafjqegrzfitmrszf2b4hfwtg57n3ouaiisojl7kdelpnp4dpga._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:https://t.me/dastantim evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/230724-seflzaef43/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar

Malware Config

C2 Extraction:

https://t.me/dastantim
https://steamcommunity.com/profiles/76561199529242058

Unpacked files

SH256 hash:

1c0239a8d30b4f2b051569f1af88f2cf7e63de9409299264a2f68ba3f3275627

MD5 hash:

4473a2ef211648993a0a266e2d1d54f6

SHA1 hash:

f98aaf7436fdb0d7b4bdb25135d0ec599cb46806

Link:

https://www.unpac.me/results/5e092a64-03a8-4301-914d-45266b52802a/

SH256 hash:

6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c

MD5 hash:

c5124caf4aea3a83b63a9108fe0dcef8

SHA1 hash:

a43a5a59038fca5a63fa526277f241f855177ce6

Link:

https://www.unpac.me/results/5e092a64-03a8-4301-914d-45266b52802a/

SH256 hash:

bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808

MD5 hash:

7a7927bac28be846b2fd2a5d10ba0676

SHA1 hash:

67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d

Link:

https://www.unpac.me/results/5e092a64-03a8-4301-914d-45266b52802a/

Parent samples :

fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f

SH256 hash:

d50054c0868e4a89b232c9741e1cb699bbf6edd4021127257f50c8b7b5fc1bcc

MD5 hash:

e9c0a301881afbb741815a13cc5cda9e

SHA1 hash:

536bdccd1bbe6e002f70b207dc8b80daf7a91ca7

Link:

https://www.unpac.me/results/5e092a64-03a8-4301-914d-45266b52802a/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d50054c0868e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

vidar

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d50054c0868e4a89b232c9741e1cb699bbf6edd4021127257f50c8b7b5fc1bcc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/431144/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample