MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165
SHA3-384 hash: 4fee77bf1ba9ad08e0981b77dcec3168d0b44f400dce5e99f28effa1a7b237ef9fee99d5907e78ed0578e82f4dcddd57
SHA1 hash: 35a394fa59c20bb287042ca3ffeb04790f326adc
MD5 hash: 26dd92feac1784ff3f12909b08670ed7
humanhash: utah-cardinal-fillet-hotel
File name:setup.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:422'400 bytes
First seen:2023-03-22 19:17:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cf1b6413c528ef7f498e62f16d8472be (3 x RedLineStealer, 1 x Vidar)
ssdeep 12288:TYJwxoVwcezd5BsKWc0ULs9AilN5gfpDx+:TCVwTd5mVc0ULs9AiuhD
Threatray 487 similar samples on MalwareBazaar
TLSH T18B94E06A2AB19062F84AC23C4CF471E0476592B7E394F2CC1AC575DB7D714B3A3BA20D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2023-03-22 19:20:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c12b8615-6af6-4f01-ae69-64d0cde4ab8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376648/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/641b546bc60b3295f52cb375/reports/41842db6-0233-4fea-9967-f6eb04a10451/overview
Verdict:
Malicious
Labled as:
Trojan.Heur2.FU.Generic
Link:
https://www.hybrid-analysis.com/sample/d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/043ea677-e171-4c41-84ca-cbf076accf23
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1199771
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 832683 Sample: setup.exe Startdate: 22/03/2023 Architecture: WINDOWS Score: 92 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Vidar stealer 2->53 55 C2 URLs / IPs found in malware configuration 2->55 57 2 other signatures 2->57 10 setup.exe 1 2->10         started        process3 signatures4 61 Writes to foreign memory regions 10->61 63 Allocates memory in foreign processes 10->63 65 Injects a PE file into a foreign processes 10->65 13 AppLaunch.exe 22 10->13         started        18 WerFault.exe 24 9 10->18         started        20 conhost.exe 10->20         started        process5 dnsIp6 45 t.me 149.154.167.99, 443, 49701 TELEGRAMRU United Kingdom 13->45 47 195.201.45.203, 49703, 80 HETZNER-ASDE Germany 13->47 49 cdn.discordapp.com 162.159.129.233, 443, 49712 CLOUDFLARENETUS United States 13->49 39 C:\ProgramData\33852441693561565985.exe, PE32+ 13->39 dropped 41 C:\Users\user\AppData\...\5339845679[1].exe, PE32+ 13->41 dropped 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 71 Tries to steal Crypto Currency Wallets 13->71 22 33852441693561565985.exe 13->22         started        25 cmd.exe 1 13->25         started        43 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->43 dropped file7 signatures8 process9 signatures10 59 Tries to harvest and steal browser information (history, passwords, etc) 22->59 27 cmd.exe 1 22->27         started        29 conhost.exe 25->29         started        31 timeout.exe 1 25->31         started        process11 process12 33 choice.exe 1 27->33         started        35 conhost.exe 27->35         started        process13 37 conhost.exe 33->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 19:18:07 UTC
File Type:
PE (Exe)
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3bvvn65svzzzq55nefb7ognqyyg7rc3no46j7a37qsipwfl6yfsq._file
Verdict:
malicious
Similar samples:
22e2b816a20424bb37abf9cfc22605709173aa4208b9e383fe10266469b2f916
Vidar
3938e9e23562cf722e3bb98f6289351ff1ce0938f65177d3b581de5c763e90c4
Vidar
3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
Vidar
67dd0268cb9b122574629662f97f6d56ffca8e7d478f38be141ac02131708730
Vidar
733501d537884cca4a051c6669c594411f55c910a4b71a0d31e5c622641b841d
Vidar
807dba280d2922afbdb7334fe3e0a602f59dcf597276c6b4948e8140090bc19b
Vidar
89e18340e51790ee07e1c6845a93f737ef6be8470e5a1158aef24539658eb235
Vidar
8f0d2909498e32a88ea7a3873958edd5456e0d9d3e766ce7c8bcc303f67d8984
Vidar
9d15c54e65741f34b06c222b5c115f51eb42f3b7085fc6af0e85132c2c299e5e
Vidar
b5b6c61866f1fa1ac5dfb9c2e93888ba463c56d39d535576f46eefac70a4e5d6
Vidar
+ 477 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar spyware stealer upx
Link:
https://tria.ge/reports/230322-xzyqhacg6z/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199472266392
Unpacked files
SH256 hash:
f53f556f93c52e0041464f2bd2b4fd2d28318005a6d3002e5cd1b23a95e7ff20
MD5 hash:
93b442e7d4f4d5511c8e4de9aba1faa7
SHA1 hash:
7d71c5ccaf8a37746cc923a85d08f4ca44bac487
Link:
https://www.unpac.me/results/70af14a1-925b-40e5-9a2e-a998559e7ae5/
SH256 hash:
d86b56fbb2ae739877ad2143f719b0c60df88b6d773c9f837f8490fb157ec165
MD5 hash:
26dd92feac1784ff3f12909b08670ed7
SHA1 hash:
35a394fa59c20bb287042ca3ffeb04790f326adc
Link:
https://www.unpac.me/results/70af14a1-925b-40e5-9a2e-a998559e7ae5/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d86b56fbb2ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/376648/

Comments