MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
SHA3-384 hash: e2f1b8ad5d1dc02248081eee7cffc5423efa9111553b120eb2aa724644d2164852654018f0f92e44e23b0ff20df5967b
SHA1 hash: 2f993c6a8499b360dec51240d0b6c5faff561c80
MD5 hash: c57c72458776a0b6a653f6c828c229f2
humanhash: gee-fanta-coffee-batman
File name:random.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:10'584'064 bytes
First seen:2025-02-01 20:40:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:BQYZRf5c58TQppBw0t/9edP/IX6X/Ab0t/9eR:sdo/GX6Xk/R
TLSH T1BEB664DB369A9044C89C4AB682A3E5815A323E7C5F3976EA27D8339C5F3B0C0E147577
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 30e8ccdcccd4dcd4 (1 x Vidar)
Reporter aachum
Tags:exe vidar


Avatar
iamaachum
http://185.215.113.97/files/sunnywebZ/random.exe

Vidar C2:
https://t.me/m08mbk
https://steamcommunity.com/profiles/76561199820567237
https://getyour.cyou/

Intelligence

File Origin
# of uploads :
1
# of downloads :
493
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
dcf95c94c1f8bf06dc0e56d32075ec4b.exe
Verdict:
Malicious activity
Analysis date:
2025-02-01 16:23:18 UTC
Tags:
stealer lumma loader themida stealc amadey botnet telegram auto generic gcleaner autoit evasion remote xworm rat asyncrat
Link:
https://app.any.run/tasks/8b160d21-8bee-4959-a4ba-fbd0d247975b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.2306.19130.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679e86ee416a81ccc3c4ebfd
Tags:
micro virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated
Link:
https://www.filescan.io/uploads/679e86ec3ee61cd16d2fded5/reports/183106b5-9c8f-42b0-848d-c00268979654/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa87e423-ade0-433a-8036-60d0cce246d4
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1603227
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Compiles code to access protected / encrypted code
Creates HTML files with .exe extension (expired dropper behavior)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603227 Sample: SoftWareGX.exe Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 84 huloar.live 2->84 86 www.dropbox.com 2->86 88 3 other IPs or domains 2->88 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 12 other signatures 2->120 9 SoftWareGX.exe 15 16 2->9         started        14 msedge.exe 2->14         started        signatures3 process4 dnsIp5 100 147.45.44.42, 49706, 80 FREE-NET-ASFREEnetEU Russian Federation 9->100 64 C:\Users\user\AppData\Local\...\yomkssf4.0.cs, Unicode 9->64 dropped 66 C:\Users\user\AppData\...\m3uz1vzd.cmdline, Unicode 9->66 dropped 68 C:\Users\user\AppData\Local\...\m3uz1vzd.0.cs, Unicode 9->68 dropped 124 Writes to foreign memory regions 9->124 126 Allocates memory in foreign processes 9->126 128 Compiles code to access protected / encrypted code 9->128 130 2 other signatures 9->130 16 MSBuild.exe 1 34 9->16         started        20 MSBuild.exe 9->20         started        22 csc.exe 3 9->22         started        33 2 other processes 9->33 70 C:\Users\user\AppData\Local\...\History, SQLite 14->70 dropped 25 msedge.exe 14->25         started        27 msedge.exe 14->27         started        29 msedge.exe 14->29         started        31 msedge.exe 14->31         started        file6 signatures7 process8 dnsIp9 72 huloar.live 116.202.5.153, 443, 49708, 49709 HETZNER-ASDE Germany 16->72 74 t.me 149.154.167.99, 443, 49707 TELEGRAMRU United Kingdom 16->74 80 2 other IPs or domains 16->80 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->102 104 Found many strings related to Crypto-Wallets (likely being stolen) 16->104 106 Tries to harvest and steal ftp login credentials 16->106 112 3 other signatures 16->112 35 msedge.exe 2 9 16->35         started        38 chrome.exe 8 16->38         started        41 cmd.exe 16->41         started        108 Attempt to bypass Chrome Application-Bound Encryption 20->108 110 Creates HTML files with .exe extension (expired dropper behavior) 20->110 60 C:\Users\user\AppData\Local\...\yomkssf4.dll, PE32 22->60 dropped 43 conhost.exe 22->43         started        45 cvtres.exe 1 22->45         started        76 23.51.89.40, 443, 50200 VODAFONE-AS-APVodafoneAustraliaPtyLtdAU United States 25->76 78 23.51.56.9, 443, 50248 TMNET-AS-APTMNetInternetServiceProviderMY United States 25->78 82 51 other IPs or domains 25->82 62 C:\Users\user\AppData\Local\...\m3uz1vzd.dll, PE32 33->62 dropped 47 conhost.exe 33->47         started        49 cvtres.exe 1 33->49         started        file10 signatures11 process12 dnsIp13 122 Monitors registry run keys for changes 35->122 51 msedge.exe 35->51         started        96 192.168.2.16, 138, 443, 49706 unknown unknown 38->96 98 239.255.255.250 unknown Reserved 38->98 53 chrome.exe 38->53         started        56 conhost.exe 41->56         started        58 timeout.exe 41->58         started        signatures14 process15 dnsIp16 90 plus.l.google.com 172.217.16.142, 443, 49728 GOOGLEUS United States 53->90 92 play.google.com 172.217.23.110, 443, 49733 GOOGLEUS United States 53->92 94 2 other IPs or domains 53->94
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-01-30 19:50:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27ifk47cnt2as6hmxtfwfqnnv5gcgy7viy6ms3ofa5s5uykxv73a._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery stealer
Link:
https://tria.ge/reports/250201-zgjjza1nap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Downloads MZ/PE file
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/m08mbk
https://steamcommunity.com/profiles/76561199820567237
Verdict:
Suspicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/d26352b2-1799-4d05-8b53-081fc7f7bec3
Unpacked files
SH256 hash:
d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
MD5 hash:
c57c72458776a0b6a653f6c828c229f2
SHA1 hash:
2f993c6a8499b360dec51240d0b6c5faff561c80
Link:
https://www.unpac.me/results/7a3e1747-2107-4982-aae9-f0e45ddfdade/
SH256 hash:
b1f7493fc1041bb3b968075bc8a8a044c6c6dc89832eac0b1e531dd92477dfd2
MD5 hash:
aea3cbf1e0506ffac88558d5f94cf475
SHA1 hash:
30c6337180975aea993a4e8538125985c897b8cb
Link:
https://www.unpac.me/results/7a3e1747-2107-4982-aae9-f0e45ddfdade/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d7d05573e26c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6

(this sample)

Vidar

Executable exe 590890f9b90b0485a47fd34d27534bbaf58dba0576512f145b03c9284e2ecae9

  
Link
https://tria.ge/250201-y6cx2synbx/
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
Dropping
SHA256 590890f9b90b0485a47fd34d27534bbaf58dba0576512f145b03c9284e2ecae9
  
Dropping
MD5 07247639cd83d2e78aabc831240f4c51
  
Dropping
SHA256 76106d902328efa1e4a8c815e57a130f763a0a1ed5bfd1ba5707874c3ddaa84c
  
Dropping
MD5 37797bbf221a8b210a987c3822ee35fc

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments