MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c
SHA3-384 hash:	c305c70eda7fe2142f9a0638eaef29df0652b0b79e70d59c4b181dbfbc5af4c701d6e3ad9bffb136c5d9f025fa3bb534
SHA1 hash:	1bf3a74c13064590db411e2ca57392cb6d6ce966
MD5 hash:	b818812e87cc611226e5f4eb7e4a5e6c
humanhash:	connecticut-quebec-angel-muppet
File name:	b818812e87cc611226e5f4eb7e4a5e6c.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	1'797'856 bytes
First seen:	2023-10-22 18:07:31 UTC
Last seen:	2023-10-22 18:48:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8a73a83fdced3fd9c55fbc1b70e551ad (6 x CoinMiner, 3 x Vidar)
ssdeep	24576:o+MOMrtVi51bGcK8UNQs3AU2dSUEfz7MZPQeEt5BQCDBULKhI:+OMr72NqNuyEilU26
Threatray	4 similar samples on MalwareBazaar
TLSH	T1B8859D09F39405F9D85BCB30C9199F32E2B4B45A07219FAF1B66C6872E73AD15F3A211
TrID	83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 4.4% (.EXE) Win64 Executable (generic) (10523/12/4) 2.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe signed vidar

Code Signing Certificate

Organisation:	Microsoft Code Signing PCA 2011
Issuer:	Microsoft Code Signing PCA 2011
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-10-21T01:03:19Z
Valid to:	2024-10-21T01:03:19Z
Serial number:	2cd44e2e42576ca048433d2e03987f12
Thumbprint Algorithm:	SHA256
Thumbprint:	21771205fd0f8a12a679ce754c5636a52cd6c22fc5b1997780fcd1d2463edbfe
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://171.22.28.221/files/Random.exe

Verdict:

No threats detected

Analysis date:

2023-10-21 08:50:37 UTC

Tags:

opendir loader

Link:

https://app.any.run/tasks/fa059b2d-5eca-4c9b-988e-6fb8e3b0a5fc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Inject4.63165.4846.1231.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Modifying a system file

Creating a window

Replacing files

Reading critical registry keys

Using the Windows Management Instrumentation requests

Launching a service

Creating a file in the %AppData% subdirectories

Searching for synchronization primitives

Sending a UDP request

Running batch commands

Searching for the window

Launching a process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file

Sending an HTTP GET request

Creating a process from a recently created file

Creating a process with a hidden window

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Blocking the Windows Defender launch

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Adding exclusions to Windows Defender

Adding an exclusion to Microsoft Defender

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

hacktool overlay packed

Link:

https://www.filescan.io/uploads/653565082b74b3f20dd76dac/reports/39216f32-42f4-4492-bad5-8645e2b63c75/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/129742c8-e973-4e40-99c3-0015faf2bc7d

Score:

76%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c/

Threat name:

Win64.Spyware.Vidar

Status:

Malicious

First seen:

2023-10-21 04:51:51 UTC

File Type:

PE+ (Exe)

AV detection:

17 of 38 (44.74%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4cgyv7c6qosu7ih3nscn4snph2de5q7tmlwu4pajiwn3v65hta6a._file

Verdict:

unknown

Vidar

85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c

Vidar

c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32

Vidar

e89d8af6209b99543fd2dcc8a37842d40e4d54ab8f52ce635665c432a152d8d6

Vidar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:glupteba family:privateloader family:vidar botnet:55d1d90f582be35927dbf245a6a59f6e dropper evasion loader persistence stealer trojan upx vmprotect

Link:

https://tria.ge/reports/231022-wqwzwacb7s/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Program crash

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

VMProtect packed file

Windows security modification

Downloads MZ/PE file

Drops file in Drivers directory

Modifies Windows Firewall

Stops running service(s)

Glupteba

Glupteba payload

PrivateLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Windows security bypass

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199563297648
https://t.me/twowheelfun

Unpacked files

SH256 hash:

e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c

MD5 hash:

b818812e87cc611226e5f4eb7e4a5e6c

SHA1 hash:

1bf3a74c13064590db411e2ca57392cb6d6ce966

Link:

https://www.unpac.me/results/d2ab2b73-fc19-4e42-a7c6-cc903fde3481/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e08d8afc5e83/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

vidar

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2721958/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample