MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eddd58f52fc1ead5886f788892412d23a0fa5fc4c76af2548ea7321c2f6c4d9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	eddd58f52fc1ead5886f788892412d23a0fa5fc4c76af2548ea7321c2f6c4d9c
SHA3-384 hash:	f68e7f2bf2e63de46c1dc48e2bf50a5ec47f72859ac38c1d46f8a14a4f5e80340c40fd5e95d0ecf139011565ece4a039
SHA1 hash:	b4de671b594ad90439a43cf4de49606ee6798298
MD5 hash:	9e30553b003e6c9099ce52ea18d0a6f9
humanhash:	four-skylark-skylark-muppet
File name:	Loader.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	455'680 bytes
First seen:	2023-02-15 15:44:47 UTC
Last seen:	2023-02-15 17:34:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4daca7182a967075c4a8cd470c438efe (7 x RedLineStealer, 3 x Vidar, 1 x DCRat)
ssdeep	6144:EAYL50f+dgN8BMStlQfAk/X0DfU/8utzIPrdWspxFoZDf820w7/vFip6y/OMB:EAM9e82fZPMfq3tzWdvoZL9/fMB
Threatray	1'274 similar samples on MalwareBazaar
TLSH	T1DBA4D0013ECC8AE7E6E6CEF77A62C52A601E507E521F178E932589D15B7039413B81BF
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

Loader.exe

Verdict:

Malicious activity

Analysis date:

2023-02-15 16:02:22 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/311a392f-3575-42cb-b81b-9ce55eb44764

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/366758/

Detection(s):

SecuriteInfo.com.Variant.Zusy.450531.14555.19540.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Searching for synchronization primitives

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/70452/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63ecfe01846a958a58168558/reports/07f17852-84f2-4713-aa0e-da667c73eb24/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/eddd58f52fc1ead5886f788892412d23a0fa5fc4c76af2548ea7321c2f6c4d9c

Result

Verdict:

MALICIOUS

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cab39640-b29e-4ea1-89c2-ab9dfb21068e

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1175861

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eddd58f52fc1ead5886f788892412d23a0fa5fc4c76af2548ea7321c2f6c4d9c/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-02-15 15:45:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5xovr5jpyhvnlcdppcejeqjneoqpux6ey5vpeveou4zbyl3mjwoa._file

Verdict:

malicious

Vidar

44f6100a2d95f01fb7e692367928f9df629c556680bc74fe45011482184c8b61

Vidar

6f8c5269ce2ba1e2baa595221a138240040aadf80c8819380563a72a3b7e024b

Vidar

7e349767b32221f32490d0c7270670a35d9c316936fb45bb9a5c900dba521cda

Vidar

9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

Vidar

9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453

Vidar

bf566a0e924a5567391242c61c0070a09ee3bca04a02e4f0170040b90e5b73e5

Vidar

d254183803aaa2a5ab7118f423809013bf0e5fc1766bb37beaea2ce1e0acfa61

Vidar

e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611

Vidar

+ 1'264 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:408 spyware stealer

Link:

https://tria.ge/reports/230215-s63ktacd2y/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Vidar

Unpacked files

SH256 hash:

ea320317c25208fa216ea1e1fc633e2c67d55865e0602ceb2681700835f38689

MD5 hash:

6987ace4cbb77480964b0311986cf21a

SHA1 hash:

7bf512b61f72d0063f4389194203ead8d261e1bb

Detections:

VidarStealer

Link:

https://www.unpac.me/results/df348de4-dcfb-48d6-aa0e-2cfca6f8b126/

SH256 hash:

eddd58f52fc1ead5886f788892412d23a0fa5fc4c76af2548ea7321c2f6c4d9c

MD5 hash:

9e30553b003e6c9099ce52ea18d0a6f9

SHA1 hash:

b4de671b594ad90439a43cf4de49606ee6798298

Link:

https://www.unpac.me/results/df348de4-dcfb-48d6-aa0e-2cfca6f8b126/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/eddd58f52fc1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eddd58f52fc1ead5886f788892412d23a0fa5fc4c76af2548ea7321c2f6c4d9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	Telegram_Links Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/366758/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample