MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb
SHA3-384 hash:	48cbf1e0c7e83db5e19f3b431f2fd9ac691fba398d24966c3c2e66ebfb17bfcb8fcc7b28286223f4d938f59ab686c93d
SHA1 hash:	6634e4e6aa505114cbf125957001dc56bafe1928
MD5 hash:	6cd2eb2553ba19d387c45537a16547f4
humanhash:	high-river-winner-fillet
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	1'023'920 bytes
First seen:	2024-08-30 06:39:38 UTC
Last seen:	2024-08-30 07:27:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep	24576:nzZuXV9LQk+9SwWtvB8QCZWgvrQG2ygCrLDFcR:nEXbGQvGPvqygCrLDFcR
TLSH	T1FF252304EF2841ABFBA50F315673474ABBE5E84C25830B4B36AD3D31EA834C55E9AF15
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	b96c6c7864c980b0 (1 x Vidar)
Reporter	Bitsight
Tags:	exe vidar

Bitsight

url: http://147.45.44.104/revada/66cef067bb8bb_CoinAccording.exe

Intelligence

File Origin

# of uploads :

# of downloads :

395

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-08-30 06:42:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3cde0683-fc1a-4b75-9249-afee17761f65

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.12891.8120.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66d16945f1a57bfb70915d17

Tags:

Discovery Encryption Execution Generic Network Stealth Trojan Agent

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Launching cmd.exe command interpreter

Creating a process with a hidden window

Moving a file to the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Running batch commands

Creating a file

Creating a process from a recently created file

Creating a window

DNS request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

installer lolbin microsoft_visual_cc overlay packed shell32

Link:

https://www.filescan.io/uploads/66d169489580eae33c5a115e/reports/5e41ed49-29e0-4852-8010-b09342f6fdaa/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/8548d689-4116-44e3-ab40-e45db225b627

Score:

68%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2024-08-29 14:30:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3yumwwzo32twyanjf2sbnnjubrr4prb2v7bmuc43jwx4nopfds5q._file

Verdict:

unknown

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:057d037117dc13a05f53caea44d69e65 credential_access discovery spyware stealer

Link:

https://tria.ge/reports/240830-he714s1ame/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates processes with tasklist

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Credentials from Password Stores: Credentials from Web Browsers

Detect Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199761128941
https://t.me/iyigunl

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8d04e29d-ad51-44a8-abba-254e2e870963

Unpacked files

SH256 hash:

a92031c3f754070e8bca0a769b0c68828ad892aea84e79ea0c5309fc83a2bb0b

MD5 hash:

8dbba0d76f33bfe16abc6c9289329a79

SHA1 hash:

1d04f42c4e79d7af48e478c58c20ac4f610ba83a

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/72c0b707-9ec4-4740-8e3c-aaaa974c5179/

Parent samples :

464e16f6d92d3c9eddeef69f7b1416fefb97817732155fe3549f37986d26fc44
bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295
8febc589fc4de7b009d3e406fddba66e389d5544bc5fad44d03f712ebf6c2bfa
de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb
1ef7ccb345b2132b8e1a38bdef87dd47a0a0588603703ee63a201a9a8b5ba51d
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42
bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555
7b217c20a30ab1bdc4534f4adb62df226d128ec4d03c0eb2feb5ab35d2b7dc9f
92a24e160937ec00bd6a8e855cd55b9329760131c1412f35b18c92aacc299883
b7763f18a43e9727036d685576fe102901f45fd1b9407395bbc10966a9811d25
d480b6efcf1ccdc3a7cf4c1d22839e27e9701758b19c0a197b049b66bdcfe870
07d538c1cab4f197f08f0d1811a2e3538e373659e25bc08d129fe4caf631048a
049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415
0b3e1e30dae8e83d9e3832c6cb382dcfce5634a3f0d1610c575d890db11c77c7
3ec49e14a495f9bdafb8944db9125c0e8f7f4258c285962df393c8918b0665dd
f5dbb1b4280665ed5d85392c1f7050e4c15764ab222ccc2fbb63b0dcd7846507
b6c12a25d818dde41b6b677104f2f3de495a8175af811b5a71fc91e43c12c3fc
4c05c9ade0f5fa4dda9a53c74f8bc41c3ab59d29203dc11c2f5cc99a5dbf7df1
e5e142eea2e5369d6ddef616cd7acf6816ae9e194a77c00214be8575b983dc2f
891306bc14e8d196e6f229dfe9d713bb1e81af30efe5ea786672648cbe6fd032
69f1a8cbd899c9d340e4543d18fd75f5d2fdaaf1441b6c0c39b1ec2308408162
df4acc3856a25841fd14f01346473c85f5bc578d33daa488f78a59ca5649bef6
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29
4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874
c37ae928bbfd115a32dbf0060e1a2d191a06cab66c7251796f1fb7212fc8c8ff
db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c
0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc
6f2c63f929acd8918c8f21f6141d1b13ca35a2b291d2d8d66771c80f481aea49
08f30ece5f7e77a69e58a970b3684c2a0eba1aa203ac97836dad32fc10a15e90
1c2ec4c72c2f31a327b6ba4dfe27a607d311578e25d96cf34c54845eea986f36
913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72
88f8b8834398bc8a18142466e963d14d08898c94aeef62f20209050fb08e7f1d
b8ed5a17150da2a420cc39505357223261437d4e99ce94599a7ffdbbfe71e6cf
c234e9cdff26c9f27b6c6365ffa668fdf4dfdb415694f3a4ab21f50dc3db0fac
48ac733e00c61226d506c26f12f6fdec6b67f3dd0a9f3a5dc6720c4096f8c0c8
35b325cf352fc1c4641f90fcc28bda81a4fa020334ba6d1fb71d06cbfc3ddf57
9ea5419cef3eba4b55697a827fa26e74e6fcc5fa4ff013cc97086d5e9e2d3f50
cbe9ac361320c689ea74990eb5b752c63b9bfec9deeb09ce7cfaaafb6baf41ef
d0e75a424812f8b899626795c8b929c40fdcbf09a0b7445d159f82256b896acf
2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f
2808948b635ccf20d4bf679457e45bfe21a783ec99e095e55382bede47f6579f
1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
fe4f289171283f597e3bf13a4cc5d2eff0f8606b4afa4db31e2c2ec63842590f
e770d2f423513285e4f7f92dafff648c3ccc9a3623e6134edcd03ac79858d1c8
8ffc2aa27b84ed0736d57be8b45dcc56c817d404b8c4904e795dc51861d281f4
72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545
a6da6ca04ee56f1e10dc25c07f938300fff7b3c1b50abe925b5f2b10b084216b
22fbefa1416f9ccc38791ac6198123e206f4e5b40590fe928f2a4148542c500c
beb7a3127427fa0560207cdb0becfebb2ed1c6d8dad335d3b3266ec741cdd495
8cbbab0078ffa7583aac63129650635a102ceb458dbc0bddf59758a04bfd5fe2
85104c53c0061dd183981df87ad8744c85d8c8c6f044698a1ed98705edaf4117
d731d91b237184f6dee0cfad065acb770ef904a70b4ca7a625f85d0a474a1714
e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6
523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
5afd5d949b10aa25737aeaf454ae3ad441311a50d0e8aace71ebec8ffe7118cf
986efaa8bb0469535ddac90dbe8cd3e7cd710e9570e7ff2edda7f82b893baa79
9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d
c5c3401f71f4361ed454bbd96ea7cdd8a9132a655815e35e207dfff0ea690469
bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5
613a067be7f86864c48431c6fe36e2cba8ccec593df598f5e3720e283e280a56
94b4b5b599c81c62f2ea6c44530f0058cf7e42c11ab9b6f16fd78bdfe5a5f44c
065a1a3575aac28ccb77e4d00b18907aab16f8432913425ffcde44abf24ef840
81d6f774c002106258af4350818c9c3687185584c59e1a797b4019bd462a086c
e407bd010e2e640169a2812066864cd837b10506f01316dc2cada9ba64d99428
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993
8ae2402f1925ee78bdf48ce3cf3e7eebecaaf26c4a45ccc105d6beb735657f31
f34dd7ec6030b1879d60faa8705fa1668adc210ddd52bcb2b0c2406606c5bccf
c26ce02368f7e800361b6174fb471e5499347e4205b354011908bff9409d2e1e
19c683016b8171a4bdb6c987b2045307289656d2c555d08f14ef6c342dca0ea0
7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169
8b2070fb57b6077848ffcbf2bc39f22e417efe372214d339dfc9460f1ecde920
a4e0fd3483e26b4c0dfda5b2c1cb89571e06a8162e88b8a47a810a4b38934b1f
c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59
bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777
a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939
4d2c2b9bf545415c67feb1dc50f92f629525994b9be6eb65648b16e1694ce864
8d23f5cb10165d0de3300234c684d134b0bded5edcd5f4522dda62b367993080
7305c4bb03ec5c017a4297e7e47d7749e56ca5bb56d3d5399a37cd0ae6b3bfd0
b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364
9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642
47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f
9c46859695bed9bd827e2292e634c39e2982f40d9be6b170d185ae154a1a6a5f
ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20

SH256 hash:

de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb

MD5 hash:

6cd2eb2553ba19d387c45537a16547f4

SHA1 hash:

6634e4e6aa505114cbf125957001dc56bafe1928

Link:

https://www.unpac.me/results/72c0b707-9ec4-4740-8e3c-aaaa974c5179/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb

(this sample)

Dropped by

Privateloader

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3135262/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Bitsight

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Malware Config

Unpacked files

File information

BLint

Findings

Reviews

Comments

Login required