MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3
SHA3-384 hash: 42a7be44aea5c6a79b8b75efe6982c587f8fbe82e053fcbb65dcb092c629d54f656ec6210830494db5a42938c39b9778
SHA1 hash: 26f10c7ce6a266b1bffd59e8fb255045bdc54870
MD5 hash: 597e7e45fa20e700533ab90dee919669
humanhash: south-cat-green-enemy
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:1'901'568 bytes
First seen:2023-04-19 14:06:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:xDHIukMDIbvoCFNLn8t5t3tFK9e9NrZj//RnHTm1WpzTu5BEvBh7G9tz0RFH6B3Y:hISebLeF4Yh18sGU
Threatray 562 similar samples on MalwareBazaar
TLSH T17E95CF72038FFED16BF69C45E842231C0D846DBB6358D154F9C8D68F25AAA58FD86CB0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:.NET exe MSIL vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-04-19 14:10:57 UTC
Tags:
stealer vidar trojan rat azorult loader
Link:
https://app.any.run/tasks/9c88e858-93a0-4022-85f8-c31c7fda08a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383307/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.27167.30308.19827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint packed stealer
Link:
https://www.filescan.io/uploads/643ff589000396b4e9997c26/reports/5a56da8b-38bf-4158-b122-ccf58cde2e27/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb1eb590-5959-4471-b855-5c3f3300ed3d
Result
Threat name:
Azorult, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217537
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850478 Sample: file.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 91 Snort IDS alert for network traffic 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus detection for URL or domain 2->95 97 11 other signatures 2->97 10 file.exe 1 2->10         started        14 45049875709617228927.exe 2->14         started        16 45049875709617228927.exe 2->16         started        process3 file4 81 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->81 dropped 109 Self deletion via cmd or bat file 10->109 111 Injects a PE file into a foreign processes 10->111 18 file.exe 25 10->18         started        23 file.exe 10->23         started        113 Multi AV Scanner detection for dropped file 14->113 115 Modifies the context of a thread in another process (thread injection) 14->115 25 cmd.exe 14->25         started        27 45049875709617228927.exe 14->27         started        signatures5 process6 dnsIp7 83 116.203.164.194, 49704, 80 HETZNER-ASDE Germany 18->83 85 t.me 149.154.167.99, 443, 49703 TELEGRAMRU United Kingdom 18->85 87 3 other IPs or domains 18->87 63 C:\Users\user\AppData\Local\...\azoa[1].exe, PE32 18->63 dropped 65 C:\Users\user\AppData\Local\...\pm[1].exe, PE32+ 18->65 dropped 67 C:\ProgramData\45049875709617228927.exe, PE32+ 18->67 dropped 69 C:\ProgramData\10580853069755748115.exe, PE32 18->69 dropped 99 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->99 101 Self deletion via cmd or bat file 18->101 103 Tries to harvest and steal browser information (history, passwords, etc) 18->103 105 Tries to steal Crypto Currency Wallets 18->105 29 10580853069755748115.exe 1 18->29         started        32 45049875709617228927.exe 2 18->32         started        34 cmd.exe 1 18->34         started        107 Encrypted powershell cmdline option found 25->107 36 conhost.exe 25->36         started        38 powershell.exe 25->38         started        file8 signatures9 process10 signatures11 119 Multi AV Scanner detection for dropped file 29->119 121 Machine Learning detection for dropped file 29->121 123 Injects a PE file into a foreign processes 29->123 40 10580853069755748115.exe 62 29->40         started        125 Antivirus detection for dropped file 32->125 127 Modifies the context of a thread in another process (thread injection) 32->127 44 cmd.exe 32->44         started        47 45049875709617228927.exe 32->47         started        49 conhost.exe 34->49         started        51 timeout.exe 1 34->51         started        process12 dnsIp13 89 icanda.ac.ug 40->89 71 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 40->71 dropped 73 C:\Users\user\AppData\Local\...\nssdbm3.dll, PE32 40->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 40->75 dropped 79 45 other files (2 malicious) 40->79 dropped 53 cmd.exe 40->53         started        117 Encrypted powershell cmdline option found 44->117 55 conhost.exe 44->55         started        57 powershell.exe 44->57         started        77 C:\Users\user\...\45049875709617228927.exe, PE32+ 47->77 dropped file14 signatures15 process16 process17 59 conhost.exe 53->59         started        61 timeout.exe 53->61         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 13:24:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3g2jr6xqdopllgdwdek2n7bpwty2wiyx2nkdjc5muz4uomh5cxjq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8
Vidar
159d98362df9853029651ed00cc363dbada760b2427150ffa23e7827e205b882
Vidar
1ff771de93f1b7a1824949621e743f0207b199b96151fb288474a7e8a2435e1d
Vidar
26b9cdc2b963ebb36d2a5c4ff6dc5e1ba49ff150fc0f179c92d71d22d275ee7f
Vidar
30afc0e58f7baf65a4e29aa3d556f7f3544542af0beadc5e670f8ce413dc682b
Vidar
320c842b7668314d60fe11232d050805503a1df1c8c40005efa1759aeecdadab
Vidar
922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8
Vidar
963f054c289e0855e2d119fa2e290bcc3a1d7787c60ed226fb6512b52b3750c5
Vidar
c7554a7609cf9428545460211a203ed575173798679198a502fe847bff3cc044
Vidar
d7c42165fa7492a009949e9215003a22792aa8a1483ec9d4f82d6b288a2bf610
Vidar
+ 552 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:bbee3401930f10e95914ad2b6f71c79d discovery spyware stealer
Link:
https://tria.ge/reports/230419-rez5yacg8v/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199497218285
https://t.me/tg_duckworld
Unpacked files
SH256 hash:
d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3
MD5 hash:
597e7e45fa20e700533ab90dee919669
SHA1 hash:
26f10c7ce6a266b1bffd59e8fb255045bdc54870
Link:
https://www.unpac.me/results/502a4a5b-6a03-427d-959f-80591c4bf8fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
vidar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Links
Create hunting rule
Rule name:win_vidar_a_a901
Create hunting rule
Author:Johannes Bader
Description:detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
URLhaus
https://urlhaus.abuse.ch/url/2578024/
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/2257588/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/2441296/
Cape
Cape
https://www.capesandbox.com/analysis/383307/

Comments