MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393
SHA3-384 hash:	c2e20c0dc9e1d51525ae82a23f5a18e13c98b77c71b21c06edddfc29b66e6b1d64d9ec576229323de23b6ded42fe13d1
SHA1 hash:	e0489dc92a9623ecbd581f5ab10a93dad1d3212d
MD5 hash:	39a1822b13c6828466eddc662c989630
humanhash:	pasta-asparagus-paris-angel
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	909'441 bytes
First seen:	2024-02-08 13:41:32 UTC
Last seen:	2024-02-08 15:33:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2e838409987529c95afc2990bcd62f7c (2 x Vidar, 1 x Rhadamanthys, 1 x ObserverStealer)
ssdeep	24576:vus8z4PCfNK7wJiKlJJH3pitaI2E51Vr22vt:2sOlfNKQJH3ma5i1Vr2U
TLSH	T1A91512217CD18573D27323305CE8FA36A6FEE61203769147B78816096E72AE1DB6C327
TrID	32.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 28.9% (.EXE) Win32 Executable (generic) (4504/4/1) 13.0% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) 12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	7876d3d5d7666839 (1 x Vidar)
Reporter	Bitsight
Tags:	exe vidar

Bitsight

url: https://vk.com/doc481075715_673554368?hash=ZSaURvZsGkSQMIshyZSAaZBz0uAe7LaSLae9g8MBLcP&dl=Cvez9kkKmq8q64rvZVuhwU4zEHbFlJCCNy8kBBdzOLw&api=1&no_preview=1#receptor

Intelligence

File Origin

# of uploads :

# of downloads :

356

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/475419/

Detection(s):

SecuriteInfo.com.Trojan.Win32.7zip.23709.888.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint hook installer keylogger lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65c4da2e2cb3f19023f5e75f/reports/470b2bc1-4a5e-4ffa-a3b7-525f471b3823/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a3038c1e-e111-4ce1-a777-08959c92f24d

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1389113

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Detected unpacking (creates a PE file in dynamic memory)

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found malware configuration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected AntiVM3

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

80%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-02-08 13:42:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4mto7plbdygurb27vo2hlrz6ibri5quur3z7lhvr7azgg5gzeojq._file

Verdict:

unknown

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:69b49b53d1eacd04e2e995d43250b30c stealer

Link:

https://tria.ge/reports/240208-qzn3qsff82/

Behaviour

Enumerates processes with tasklist

Modifies system certificate store

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Detect Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://t.me/newagev
https://steamcommunity.com/profiles/76561199631487327

Unpacked files

SH256 hash:

9437b5cd85f01ae5f0fcffab34b33a10b18beee3d559431a512b977596576fd6

MD5 hash:

0e5f8c77f7d8e72afb90a58098bdfaf7

SHA1 hash:

4f7884661c4b200210ac250b914b2464ced3dd12

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/b67fe2ac-cb81-4cdb-a550-1787acc2c22e/

Parent samples :

99792e2eda5c50df332f2ba9bde7dbe158398acd913c16f980ff54bfda274f36
32a3ae3f8473db4b0526e456c67da605202afbfc4db584db9275d62e80884bf5
4315c14af0772f50b9b383cae378f26e71e77156886209344791c7f931d6425c
c70a6bb61af33042ad6131ed456847c36ddf8a20cfd711646d2f673ec851c754
8eed969439caae425cac85ad5b221e4f19ab22b40182a8d6beeb035dc50cf6a1
fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7
2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
b9371b217090aadf41da567face2032494d9fc5d7e4bb438dad702814c88fb97
2fcffd3914b2555cd521d7c2d3c43e8e8af300f9ee161d3ae0c028206f55775b
6a7afd800f236e6bf6cdaa2fc93869daade49c2b5698bbb39c3d8ecc13d0fd9c
6115d0dc0349f7cbab3fe4b4b769b389a60aab336519d4b42952bb0f0501428f
9f706c4488db8c3f51761fe450003199948b489b39bfaf56560eac498a954356
e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43
9ac629ed8e07b6c99b05edd46b86e1795e5f96908ab1fe85a06282b0a982cd1b
487aa8d7d2c3f85140a7dc9c8704329c6e42a296e6a89ec66a7e0de58d309ded
e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46
b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42
d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
40aa56690dafef35b08b83eebf12c694f5cec88c6ba1ff9f499fff5a5da1ef02
baeced1519471f5b87271beb193b279983078f0bba9ba4daef9af842b3c361b8
a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
7a3506f60a337bd104291e6f01bf18cbf3dad4058e9e79d7861fc2a1c11258c2
43c59cd33371691282d4f781b6f5d0b280da41d71fceeecc7b7052a1db11ac79
634bf075d6d8a187a316a7ff567c867dea7454f4c414fc1dfb5e8a6bae2ab38e
8b66a3ecbb30f4351758c45f1c11dfa8faa9804b2976e108e9557ba39bae3202
0464478d0f6c9992dcfd81471fe69b418deab070f4f7852d756a4138d21f5cac
bdf72e1c0964b7a7b96651b278b6f8d4b42849c01ff2aa6c6844b5ac2a893f3b
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88
1814457fbd890028ff409edc2d23a11bbac93fb7318aa54523ada7e04f53ea7f
c27c1e00bb778d222efa52a9dbb9335230052cd7eaacf34a8d28b4436aae580c
8ac262e42dc9b061481f38467e202f22271f204cf595b610eb0ad4f5bbcd560b
c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3
a857af8b33c62e7897af86264a2c8959545cacf74329b76730e2a84b35ef20a4
83f7e97876bb82d57f77f675e4b9ed0d3cd18c75e1cee4ec9661f653ba522e5b
6d4114742eb27a4e99c398904607bbfb07f91c2f2d25c921d888c0879f22d646
8bfa18179880147b29fd76adbba9c2818d5ba600ef22f17a5fcb9897287c4d34
fa8e3f10f85d54f5ac081ec4e9f5bb4c46716c55940c811489abd325d67a9fd1
44ed4970306de81ea87869369b9a1473e119d9a7d4a825fddd1405aa1f6dbe85
ec78b7b9f3560e19d0c723d7d114747d3833cb940631f9a3dbe83634e8d68491
087a6dafebbe457fd2085fc08162a3298891986290e3dd9fef21eec45e0df40f
4be740b7411f644b92749c5fd9be10b827f885c13690aaf7857a6d58b44e9c8c
d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd
ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
fa80871e2a0b0384f09f41d1a0a6715b7d32b915e70516152b10c32da4151556
80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2
379a446e3c57a9c7fd56eee88d1b9c8ad89c892307db989b3edd53be1d8913bf
0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451
585d0e01d18cf7acfb8cb1b7ba54ffbb64e187e0a69372e2dc7f6f6b285a8493
707d8153cfae722c0c834bb06bb9dc04d6f3224a39a9b9c33aa524389561ffaa
2ad1b5261442f87a5e7a1c53cd0335c61652b39da8f54587fe0adc45e0813661
a8b2c1d4067978b61076e9ad9848c27ff31611c3a201cafa0b8a4005d80e7321
e4fe2b92480a8ad512c643358c7add07588e8028c1526e5e874d292e6053d4a6
3a339d1c2c786bde38552618b21b647fd61e583ba7cefb9eee6b0647201e5ca6
add35b72ac24e4056dac7aa46dc03ac8ccf717b0891026da8028fb9cbd8f5b7f

SH256 hash:

e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393

MD5 hash:

39a1822b13c6828466eddc662c989630

SHA1 hash:

e0489dc92a9623ecbd581f5ab10a93dad1d3212d

Link:

https://www.unpac.me/results/b67fe2ac-cb81-4cdb-a550-1787acc2c22e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393

(this sample)

Dropped by

Privateloader

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/475419/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample