MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d7e8ecfbb9b6b70ac2314516226c94a32ccaba6c31aa4da4a52fa07c2cf22cd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Vidar
Vendor detections: 15
| SHA256 hash: | d7e8ecfbb9b6b70ac2314516226c94a32ccaba6c31aa4da4a52fa07c2cf22cd4 |
|---|---|
| SHA3-384 hash: | 156aebeb8ad0b6fa741946565e772c6563bb3075775e70812085ceaaeda6c467e7cf0bd7e2bcaf67d8b4fdcedc0e459b |
| SHA1 hash: | 61e9ee541aac8aea077daedd1f31497b0bec2ab4 |
| MD5 hash: | 81a8c700d5bdd648c2848050da4edc4b |
| humanhash: | nevada-tango-fanta-kentucky |
| File name: | lyjdfjthawd.exe |
| Download: | download sample |
| Signature | Vidar |
| File size: | 281'600 bytes |
| First seen: | 2024-11-30 21:33:44 UTC |
| Last seen: | 2024-12-17 06:37:50 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 0b8c3b7f5974cb002243977711d52689 (4 x Vidar) |
| ssdeep | 6144:Ch0ZpFC4sffny7TuLBdZlT4DIJYdy3I8ioyrN:Ch0ZpFCfB3TGyYy3ziBZ |
| TLSH | T1BB548D1163607C3BF2225074B70D97768A6B7C342A529F0BFBD50675AFF42E2AA1071B |
| TrID | 56.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 16.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 4.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.4% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| Reporter |  aachum |
| Tags: | exe vidar |
iamaachum
https://github.com/olosha1/oparik/blob/main/lyjdfjthawd.exeVidar C2:
https://t.me/fu4chmo
https://steamcommunity.com/profiles/76561199802540894
Intelligence
File Origin
# of uploads :
3
# of downloads :
396
Origin country :
ESVendor Threat Intelligence
Malware family:
amadey
ID:
1
File name:
inv.zip
Verdict:
Malicious activity
Analysis date:
2024-11-30 21:22:00 UTC
Tags:
arch-exec stealer stealc loader amadey botnet vidar upx rdp netreactor telegram lumma
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
emotet virus shell sage
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Labled as:
Zusy.Generic
Verdict:
Malicious
Result
Threat name:
Stealc, Vidar
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Searches for specific processes (likely to inject)
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Trojan.Leonem
Status:
Malicious
First seen:
2024-11-22 12:04:14 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
29 of 38 (76.32%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
vidar
Score:
10/10
Tags:
family:stealc family:vidar botnet:0174ec9d0ab5d3dd4d0bbe7415cfa10c discovery stealer
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks installed software on the system
Checks computer location settings
Deletes itself
Detect Vidar Stealer
Stealc
Stealc family
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/fu4chmo
https://steamcommunity.com/profiles/76561199802540894
https://steamcommunity.com/profiles/76561199802540894
Verdict:
Malicious
Tags:
trojan stealer vidar stealc Win.Malware.Trojanx-10020177-0
YARA:
Windows_Generic_Threat_c374cd85 CAPE_Stealc EXE_Vidar_May_2024 Stealc
Unpacked files
SH256 hash:
d7e8ecfbb9b6b70ac2314516226c94a32ccaba6c31aa4da4a52fa07c2cf22cd4
MD5 hash:
81a8c700d5bdd648c2848050da4edc4b
SHA1 hash:
61e9ee541aac8aea077daedd1f31497b0bec2ab4
Detections:
VidarStealer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Check_Dlls |
|---|
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerException__SetConsoleCtrl |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| Rule name: | has_telegram_urls |
|---|---|
| Author: | Aaron DeVera<aaron@backchannel.re> |
| Description: | Detects Telegram URLs |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows executables referencing non-Windows User-Agents |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion |
| Rule name: | RansomPyShield_Antiransomware |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP) |
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | Stealc |
|---|---|
| Author: | kevoreilly |
| Description: | Stealc Payload |
| Rule name: | Stealc_unpacked_PulseIntel |
|---|---|
| Author: | PulseIntel |
| Description: | Stealc Payload |
| Rule name: | Stealer_Stealc |
|---|---|
| Author: | Still |
| Description: | attempts to match instructions/strings found in Stealc |
| Rule name: | ThreadControl__Context |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Vidar_unpacked_PulseIntel |
|---|---|
| Author: | PulseIntel |
| Description: | Vidar Payload |
| Rule name: | Windows_Generic_Threat_2bba6bae |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_Vidar_65d3d7e5 |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_Vidar_c374cd85 |
|---|---|
| Author: | Elastic Security |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity |
| SHELL_API | Manipulates System Shell | SHELL32.dll::SHFileOperationA |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessA KERNEL32.dll::OpenProcess KERNEL32.dll::VirtualAllocExNuma KERNEL32.dll::VirtualAllocEx KERNEL32.dll::WriteProcessMemory KERNEL32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::SetConsoleCtrlHandler |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileMappingA KERNEL32.dll::FindFirstFileA |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameA ADVAPI32.dll::GetUserNameA |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegGetValueA ADVAPI32.dll::RegOpenKeyExA |
| WIN_SOCK_API | Uses Network to send and receive data | WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo |
| WIN_USER_API | Performs GUI Actions | USER32.dll::CloseDesktop USER32.dll::OpenInputDesktop |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.