MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9
SHA3-384 hash: 0b95ab4056deb6b729850f3ef696464abf00d5ed8bb2104fe4fb1b0455a433ed0ce485bdaf73bb7d21e057b7bb13cfbc
SHA1 hash: 0fdc279efc090a9b3e421b28d06b8dc0aef0d2b8
MD5 hash: 9a9f46fcecc308ef34b8148038a16596
humanhash: kentucky-robert-eleven-mississippi
File name:Ruzvelt.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:344'064 bytes
First seen:2023-05-13 22:56:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8cb869f42d9744fa3286b04b1d083ca7 (4 x Amadey, 1 x Stop, 1 x TeamBot)
ssdeep 6144:KuoFMf8kBfURCidAwGw6DHQuJ8IWtaOgFlO:Kuo08kBf5itGwY38IsaDO
Threatray 131 similar samples on MalwareBazaar
TLSH T17E740180B692FF62E56206B45930C5E469FEBC648F95C2DB31142FAFAD312D09B63353
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 80069070285c5c20 (1 x Vidar)
Reporter JaffaCakes118
Tags:vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ruzvelt.exe
Verdict:
Malicious activity
Analysis date:
2023-05-13 23:18:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6dd4b2d5-c7cc-44d5-93ac-bea4b217ff6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389217/
Detection(s):
Sanesecurity.Malware.29231.BadIN.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Behavior that indicates a threat
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware mikey packed
Link:
https://www.filescan.io/uploads/646015d0c71f37d4b4a27777/reports/9c405458-6baa-4549-ae53-8737a5075a84/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1634bbb3-be67-4a62-af2b-8daafe17c16e
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232359
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-04-21 19:07:59 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
31 of 37 (83.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=22nkeuqye3ksp73yzh77k2otitfuxo4txn4b2s36luosttq44guq._file
Verdict:
malicious
Similar samples:
0f3cf7eb4a39448632d857ca47ffd0546614f5065512ff1f0b937b4637d78c15
Vidar
328d4440dbd18cec4f9d204831beb8cac463d4faa25a127925b77e162688f4d3
Vidar
3acb0a322fd8facc64222e1a774f2152bd3c8568e53410a60a52e0aa14d3f805
Vidar
83e593364f1beb5811a8a29f95e5a3b674cf3eba6fd8bcf5a5231d9c668a8987
Vidar
89777277cf476587efda12e9def270e12b639e04aab35b17ffa0312ea46da418
Vidar
b9b58150c1433cbcbae0d149d1155854c7b2d019533e45244441602b531c3f57
Vidar
c6dd25dcabf4bcb343f25f084c237b432d2f1aef3600129f6f784cd2969645e6
Vidar
d1006e8c4e1a70535c19a92bd80f3b5a7188e5089157725b0f37e0c5cac391fe
Vidar
e67c52e4ba852b306f49e5d508e685126605fbdcd567e5e19a2320b2d942bd69
Vidar
e814d34a0eb17347413d34653b7fca514c931eb1a5317012fe44d54c09617fd4
Vidar
+ 121 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:2234cb18bdcd93ea6f4e5f1473025a81 stealer
Link:
https://tria.ge/reports/230513-2xcsgacb51/
Behaviour
Modifies system certificate store
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199497218285
https://t.me/tg_duckworld
Unpacked files
SH256 hash:
86b6471699740e009dd754d8094132adbcbab400b3c04d27f100e82df312bd12
MD5 hash:
f8a9a8d2d99d81315230ad03cde33cd2
SHA1 hash:
10c5d88a09581f7d57e87655665a6d2c565969dd
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/8a05b91f-5715-4502-a13c-b6572f429d30/
Parent samples :
d1006e8c4e1a70535c19a92bd80f3b5a7188e5089157725b0f37e0c5cac391fe
83e593364f1beb5811a8a29f95e5a3b674cf3eba6fd8bcf5a5231d9c668a8987
d927d33966be61de99eba33be4efb7b09ac5348e17caadf92dbcc094a8ad663f
1b50395ebaae62aa4ad19a514a0cda4b8f74aa915dfe0c0df49a3aee08c605b7
797575606aa8f510d7d84596fcc81180354f0b65ec50ed5864ad6c18d15f3086
3c1ebdf7ddc8c5332ff02def398851eecee1329326f851e9adc135a6a25e4e98
722e5c23eff7116dead7e70f52673519604efa15a2743939034cb2fccd1c4672
fc02a63e0ca8682216bd68c561a4923f9f1828a0fd5978160282f52b777ebc8f
37f90d14d9b6dbc7813b30dea8379637336a2e8219110dd0c479f2dc5d7a5fd5
7564e44c0b07a0f161c5a245ba8f2029ea70a297a5f9944c4c786a75f1e8524a
005dce2ddcdfce4418c7782afe3d59d6ee9cb8a3f0a9f303ebf92b60151aa55e
bdcc0932f31bf8478356b9d2df3e6613385dfcd6f1179a70300430d5759298d5
2c3399c0b13dde9c28a4bbcbd0c45a61238736d09123c838e1a8765194874c30
354a1d3180f92329cae26075d2a152561df4d9bb2b8254b50ac4b97c7ee89e06
442bc37924d8d962da21953837ef47044256d19d9a26202083e6e77c150fc696
d3564cf77d63b9b2ec8cf914958453f19e0d1032f4ea4665fe05b2284decfb0a
d63913dd7bb4c567c5e752149ebd9f90023a34f49b75a585e6f67c6834dc24a0
67770d3ab80bd1d5d9c2be66f5bb8084f61c15a3060f84cdba21852e9609eb64
54fe4ead4f5851ffdd4ee657632740a6095f362a34d593b04dbf0a2b339fc4c6
be04801e050f6b11b177a4febcd6daecbbfa6891c0fbc2e053638ff7c1f7cda0
fa3dc6c4c0ce44fcaf84b68d5578976bd0f6c5ace4a4c57d6a9c39d2ca5eab47
9b18f5731f338a90ca3a226572e21c2c958c345d6adfa40f8b012a79f412dae5
aac4be8da4dd61b9c80cdd4fbfd32aca1189947644318a7a3627a502b3f8e128
1a945013489a88af369312fbce20f6701fb0df180e29113533d1cab036ce66a6
396ae4c1158897e71763b09fe32b147bba5414531a46c53b11ff8ccbd4589d6f
e6e4ba6207c487fbd207a88cd71d12203e8899daf72a6819131aa805fb0c4444
d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9
SH256 hash:
d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9
MD5 hash:
9a9f46fcecc308ef34b8148038a16596
SHA1 hash:
0fdc279efc090a9b3e421b28d06b8dc0aef0d2b8
Link:
https://www.unpac.me/results/8a05b91f-5715-4502-a13c-b6572f429d30/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d69aa2521826/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_vidar_a_a901
Create hunting rule
Author:Johannes Bader
Description:detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe d69aa2521826d527ff78c9fff569d344cb4bbb93bb781d4b7e5d1d29ce1ce1a9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2615191/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/389217/

Comments