MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df63c205bd0709fb7c7150249223a78466d9c3daf481e75a39bd84514a9215f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	df63c205bd0709fb7c7150249223a78466d9c3daf481e75a39bd84514a9215f6
SHA3-384 hash:	cf505aebc9965a91ebb7494b0c00dd3c80719b1e9ddd373421ca6dc84d1266fd894530da3897666b5aef236866a01837
SHA1 hash:	cee99b0db9e9175cca108c5134d884bbc972b2dd
MD5 hash:	69ccd0dd37979d6b414f0ee4d4b73b0b
humanhash:	diet-venus-jupiter-jig
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	280'064 bytes
First seen:	2024-09-17 04:45:56 UTC
Last seen:	2024-09-17 05:19:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:aj4khumzc2tlHgL89VPl8RdnwyRCOgyAtHQEHN:a82umzcwHgLGg7wKpgRtHQ
Threatray	20 similar samples on MalwareBazaar
TLSH	T14B5423824789A35FF4958738C4B1172E4660AE5CA34F3E7E73266B09CF81D21355BBCA
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	exe vidar

Bitsight

url: http://147.45.44.104/prog/66e9095f50a8c_vmdsf.exe#space

Intelligence

File Origin

# of uploads :

# of downloads :

473

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-09-17 10:43:32 UTC

Tags:

vidar

Link:

https://app.any.run/tasks/d19d3c29-b739-4957-8fd0-151fe17ef5a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.15460.12281.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66e9098c71e91b3281ba1a5c

Tags:

n/a

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/66e9098a800c7315e1ca0e72/reports/eae68463-5a04-49f5-af82-18bfc033217f/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/df63c205bd0709fb7c7150249223a78466d9c3daf481e75a39bd84514a9215f6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/01c3d840-61ea-4a3e-9cfa-6c797f54f27f

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1512294

Signature

.NET source code contains very large array initializations

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/df63c205bd0709fb7c7150249223a78466d9c3daf481e75a39bd84514a9215f6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df63c205bd0709fb7c7150249223a78466d9c3daf481e75a39bd84514a9215f6/

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2024-09-17 04:46:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 38 (36.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=35r4ebn5a4e7w7drkasjei5hqrtntq626sa6owrzxwcfcsuscx3a._file

Verdict:

malicious

Vidar

5ddb5598f1156d0ea44502cfbe89fdb6805c6b4be08cd33fd1a963b94544918e

Vidar

9aa969169a955de9644611b854ee7314349c4c7e9dc9be545b392cd5db002942

Vidar

9fb5255586dc349067104a9cf3514d0ed6bf955c3ea9afbed0fb416b70cfd931

Vidar

c2f99e83841e2f7e1fb0db047e5439fbe10a8d4b991a20e17a25686ea330f012

Vidar

c67c9fdc96742ea8ed38f21193d31eaad94ddc43bb7fb0f3ef88d17d102008b0

Vidar

+ 10 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/240917-fdy1psvhkm/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/800ed09f-5148-4c58-b815-5bb5e3536324

Unpacked files

SH256 hash:

8ec6c11d14a1bd47740ea280ed8f915238d1d1cd5c702cde6ce2a63497df1c27

MD5 hash:

7f5ea902360ec7d6de97abc88207ad35

SHA1 hash:

943b21d0bee9fcd42fbf484db34ee6b083174dd6

Detections:

VidarStealer

Link:

https://www.unpac.me/results/a4135743-25aa-4c6b-a9d5-467b0ab8819f/

Parent samples :

df63c205bd0709fb7c7150249223a78466d9c3daf481e75a39bd84514a9215f6
f62b8e7a181f69bc257aa09d7d1eadec7a2ff0e7006a6753c96173aa50101715
86d1e9372127505a6200e134641390297bd255de3b742d874108cbf5670d3d9c
7ad095de4171dfb3458752e1f4406b726ea94327e529fd83e2189b8c04ffee86
6f8b44c727d44c82461e3e33098a1d93517bd200c4489120914f34e22715309c
146b7006b041d25b6846c797234f38387ec4b141c4a7e4f100d0e6d2eda29088

SH256 hash:

0ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d

MD5 hash:

2890a00ef6943ed98e2b7c6e3e49ae1c

SHA1 hash:

9072a751e68fe39222aebc87ffb898a423310ce9

Link:

https://www.unpac.me/results/a4135743-25aa-4c6b-a9d5-467b0ab8819f/

SH256 hash:

df63c205bd0709fb7c7150249223a78466d9c3daf481e75a39bd84514a9215f6

MD5 hash:

69ccd0dd37979d6b414f0ee4d4b73b0b

SHA1 hash:

cee99b0db9e9175cca108c5134d884bbc972b2dd

Link:

https://www.unpac.me/results/a4135743-25aa-4c6b-a9d5-467b0ab8819f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

vidar

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/df63c205bd0709fb7c7150249223a78466d9c3daf481e75a39bd84514a9215f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe df63c205bd0709fb7c7150249223a78466d9c3daf481e75a39bd84514a9215f6

(this sample)

Dropped by

Privateloader

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3177720/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample