MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2
SHA3-384 hash:	668ba29b7a2d523bf41d1cd10d15df7f7104fa9e0d7cfc497029e192f81d590d1962aa83b51accecc1dbe97e0ab2c111
SHA1 hash:	d1f61cd7ccf682868720dacfc91f50ce4e70412b
MD5 hash:	a8145015691ccb73460a69fa0a8b0304
humanhash:	fix-whiskey-oven-eight
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	467'832 bytes
First seen:	2023-12-01 18:08:46 UTC
Last seen:	2023-12-01 21:19:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:I1/tBaOZZfURQrLmwCn/2L04fiOFnZitWpqdc6WwjLC6a2HEZ+rG7tUW:mtbRURQ+wC+9KtWpqSNg+6RrqtUW
Threatray	1 similar samples on MalwareBazaar
TLSH	T133A46C0402655108CB2ED3B9D1535142B7B5BE22A622EBB67FFDF5E31EBB3D4660304A
TrID	27.3% (.SCR) Windows screen saver (13097/50/3) 22.0% (.EXE) Win64 Executable (generic) (10523/12/4) 13.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe signed vidar

Code Signing Certificate

Organisation:	installrox inc
Issuer:	installrox inc
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-12-01T16:19:41Z
Valid to:	2024-12-01T16:19:41Z
Serial number:	0a58eaa574cbdf66c3ae42b923144c13
Thumbprint Algorithm:	SHA256
Thumbprint:	a4044e2549c50f4ed21007c4487554e1188750b5a19966f5bd9d2561356fc3a1
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://91.92.241.91/files/InstallSetup2.exe

Intelligence

File Origin

# of uploads :

# of downloads :

326

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461755/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.8036.25896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Creating a file

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a process from a recently created file

Creating a file in the %temp% directory

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Creating a file in the %AppData% subdirectories

Using the Windows Management Instrumentation requests

Launching the process to interact with network services

Blocking the User Account Control

Adding exclusions to Windows Defender

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Upgdsed

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b2c08a1b-3a65-49c7-8891-3a58389ed6c7

Result

Threat name:

Glupteba, Petite Virus, Socks5Systemz, V

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1351608

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-12-01 18:09:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=572bn4l3qmzh42irgcfsxfty6ux3jngsbom2s32dyjdy4xomcdza._file

Verdict:

malicious

Vidar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:glupteba family:vidar botnet:b38cb04787049a109b9655c2379f5b97 discovery dropper evasion loader persistence rootkit stealer trojan upx

Link:

https://tria.ge/reports/231201-wrfpaaef45/

Behaviour

Creates scheduled task(s)

Modifies data under HKEY_USERS

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

NSIS installer

Enumerates physical storage devices

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

UPX packed file

Windows security modification

Downloads MZ/PE file

Drops file in Drivers directory

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Modifies boot configuration data using bcdedit

Glupteba

Glupteba payload

UAC bypass

Vidar

Windows security bypass

Malware Config

C2 Extraction:

https://t.me/s4p0g
https://steamcommunity.com/profiles/76561199575355834

Unpacked files

SH256 hash:

eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2

MD5 hash:

a8145015691ccb73460a69fa0a8b0304

SHA1 hash:

d1f61cd7ccf682868720dacfc91f50ce4e70412b

Link:

https://www.unpac.me/results/cc44c259-65e5-420a-9b88-027f3a8959fb/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/eff416f17b83/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/461755/

URLhaus

https://urlhaus.abuse.ch/url/2735609/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample