MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab
SHA3-384 hash: caf791befb50afa84d3eeee9792c8c36dc37e29761d4d95aedb1ceb8d9edce8be05c10f3680220c2760e202f692cc80a
SHA1 hash: e246a80f90d88d5df99e4e75bb44825fdc22a531
MD5 hash: acff4bc8180417126563b61755dd464c
humanhash: carpet-potato-carpet-utah
File name:acff4bc8180417126563b61755dd464c.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:355'840 bytes
First seen:2023-12-02 16:43:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0bd61e688135eda02fcf13008a67a440 (6 x Smoke Loader, 2 x Stealc, 2 x Vidar)
ssdeep 3072:/EQhBUz3mVrpYT3Twdxx6QHHysSygmP9jwQHKp5R5vAMu63jXdo:MIUruODEdH6QHF5gKWQHK9tJjX
Threatray 33 similar samples on MalwareBazaar
TLSH T15F74084392E17D96E9278B729F2FC6EC771EF6508E4977A92228DE1F00B11B2D163710
TrID 67.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.2% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00014a1833114545 (1 x Vidar)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461918/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/656b629c380413dc0c2c4fff/reports/8f1e5d79-7039-4e10-9f87-75e7ee59c868/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8395a522-d182-48c1-9bd3-9d0a802ac70e
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352111
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab/
Threat name:
Win32.Trojan.StealC
Create hunting rule
Status:
Malicious
First seen:
2023-12-01 09:35:52 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4xtn6wyq3zqqvv52exklvgfdv4tyrvc4cq6y7i5nw3yiipaldkvq._file
Verdict:
malicious
Similar samples:
1b5b2846fe02fa318dd6f82439d4826948cbfc4d7245a8267ac37605bd094885
Vidar
33b04a8d7bc2da4d5e00ce9acd0e5755daf961f1a8574ef84ba3d58761127d6a
Vidar
465bec204932baa110e7344f725d7a9acd5c1a599927e6a3a080aa31dc18101f
Vidar
8a59a0e9b326966e4fb7353078bf82b765df754e575a3bfe3bb44220ffb41116
Vidar
cc58fda6767d3d05772223f4267075b2dc2a63bc802a6026f3dbc1403e3efa17
Vidar
e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab
Vidar
+ 23 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:b38cb04787049a109b9655c2379f5b97 stealer
Link:
https://tria.ge/reports/231202-t8talaea5s/
Behaviour
Modifies system certificate store
Program crash
Vidar
Malware Config
C2 Extraction:
https://t.me/s4p0g
https://steamcommunity.com/profiles/76561199575355834
Unpacked files
SH256 hash:
1dcb83bfbc950d101458a551b16368a29803f9084aed9853a4f4dccb398edac9
MD5 hash:
c2d9c0171941b349111afef474a4624c
SHA1 hash:
3076003e82296276602675e1d63ec892c0abaa3d
Detections:
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Link:
https://www.unpac.me/results/250433ec-99ae-4314-9a35-5a0de8d0ce7b/
Parent samples :
e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab
f588fb0d22eb7e81736deb57a487fa494e7b7d970dd00e521e95fdc80eb12d53
SH256 hash:
e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab
MD5 hash:
acff4bc8180417126563b61755dd464c
SHA1 hash:
e246a80f90d88d5df99e4e75bb44825fdc22a531
Link:
https://www.unpac.me/results/250433ec-99ae-4314-9a35-5a0de8d0ce7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe e5e6df5b10de610ad7ba25d4ba98a3af2788d45c143d8fa3adb6f0843c0b1aab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2735975/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/461918/

Comments