MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 daeb55142c78a55a7f9b43b839d3d0708c8f0739fe260366070330876e72a340. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: daeb55142c78a55a7f9b43b839d3d0708c8f0739fe260366070330876e72a340
SHA3-384 hash: 318c565d997f26d24730b3f89f3124fb29084ef721bd435026b6ea155bb26db1a30604c12652bc4fb346a113b3ba1b89
SHA1 hash: 8c0c72037da2f61a8d59992616f04fe348a26b72
MD5 hash: a5662362d94475dcaf41d9b176d2b7d9
humanhash: tennessee-golf-magnesium-four
File name:a5662362d94475dcaf41d9b176d2b7d9.msi
Download: download sample
Signature Vidar
Create hunting rule
File size:7'589'888 bytes
First seen:2023-03-04 08:02:19 UTC
Last seen:2023-03-04 09:31:52 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:IWhQpbkME/PTDYQ4n0i7oh+9iieNQOYfBSCo4Pz:EKzP6d7oUiilSj6z
Threatray 529 similar samples on MalwareBazaar
TLSH T15976CCD13B44C127D94729754E67A39E6B1DFCD1AA30B08B7360F72E5A38AD3AC69301
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:msi vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
BumbleBeeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371600/
Detection(s):
SecuriteInfo.com.Gen.Variant.Ser.Zusy.4059.26643.26647.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm CAB cmd.exe expand.exe explorer.exe fingerprint greyware installer keylogger packed shell32.dll stealer warp zusy
Link:
https://www.filescan.io/uploads/6402fb3893921fa042365dc9/reports/c8f40868-afc6-49fe-94c6-5bfd21845fd6/overview
Verdict:
Malicious
Labled as:
TR/Crypt.Agent
Link:
https://www.hybrid-analysis.com/sample/daeb55142c78a55a7f9b43b839d3d0708c8f0739fe260366070330876e72a340
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/daeb55142c78a55a7f9b43b839d3d0708c8f0739fe260366070330876e72a340
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187067
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 819944 Sample: am82bSh54P.msi Startdate: 04/03/2023 Architecture: WINDOWS Score: 100 50 Multi AV Scanner detection for domain / URL 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 6 other signatures 2->56 8 msiexec.exe 10 17 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 34 C:\Windows\Installer\MSIDB52.tmp, PE32 8->34 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 Ms Stable.exe 13->15         started        18 expand.exe 8 13->18         started        21 icacls.exe 13->21         started        23 2 other processes 13->23 file7 66 Writes to foreign memory regions 15->66 68 Allocates memory in foreign processes 15->68 70 Injects a PE file into a foreign processes 15->70 25 RegSvcs.exe 15->25         started        30 C:\Users\user\...\Ms Stable.exe (copy), PE32 18->30 dropped 32 C:\...\8f3ea979e5b4ee4e8e5151fea826d601.tmp, PE32 18->32 dropped signatures8 process9 dnsIp10 44 t.me 149.154.167.99, 443, 49175 TELEGRAMRU United Kingdom 25->44 46 89.40.14.155, 49180, 80 RACKRAYUABRakrejusLT Lithuania 25->46 48 49.12.112.48, 49176, 49177, 49179 HETZNER-ASDE Germany 25->48 36 C:\ProgramData\softokn3.dll, PE32 25->36 dropped 38 C:\ProgramData\nss3.dll, PE32 25->38 dropped 40 C:\ProgramData\mozglue.dll, PE32 25->40 dropped 42 3 other files (1 malicious) 25->42 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->58 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 64 3 other signatures 25->64 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/daeb55142c78a55a7f9b43b839d3d0708c8f0739fe260366070330876e72a340/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-03-04 00:36:15 UTC
File Type:
Binary (Archive)
Extracted files:
303
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lvvkfbmpcsvu743io4dtu6qocgi6bzz7ytagzqhamyio3tsunaa._file
Verdict:
malicious
Similar samples:
0fe62bce5fdca99b82bc40a1b6c62413a7738207462bcae6c83dae1da8501b15
Vidar
36b03249d7ae407da7b955d538e660eae8d3562a091393bb81c5b457ebfe83ae
Vidar
6a617163b5914f23371a4d8cf8c13773fee397e02441b0ce411601fc1ac5f54c
Vidar
733501d537884cca4a051c6669c594411f55c910a4b71a0d31e5c622641b841d
Vidar
807dba280d2922afbdb7334fe3e0a602f59dcf597276c6b4948e8140090bc19b
Vidar
82cc542ba58a3f7f875d765e60bc4829593c15d35f1c619ae08bcabded33808d
Vidar
8b08628b3b7ad95bef5be23120ed741dcfca5d30f0d2dfdf83166b94c56f15d1
Vidar
b5b6c61866f1fa1ac5dfb9c2e93888ba463c56d39d535576f46eefac70a4e5d6
Vidar
c751b386ba177fa63844bee350b500cd85b6c745266646f49955b8f5925ff637
Vidar
+ 519 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery stealer
Link:
https://tria.ge/reports/230304-jxpsxsdc95/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Vidar
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/daeb55142c78/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/daeb55142c78a55a7f9b43b839d3d0708c8f0739fe260366070330876e72a340

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371600/

Comments