MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2c3f2034f72bcf0d93e56925be2b33aba07b33be026b65a9776b72e30bf9d69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2c3f2034f72bcf0d93e56925be2b33aba07b33be026b65a9776b72e30bf9d69
SHA3-384 hash: 38258395339d7f5a0bc7291af63fcbb49579ee7f3328e36536400d6522ce13c0c63fd31fc58fc4cd391da49148bd306f
SHA1 hash: cc967253161ecce1955b87450abcba1febc2c0a1
MD5 hash: 5cd30b23538166c486b3deaf5ab6e7c0
humanhash: pluto-beer-carbon-alaska
File name:Rechnung.pdf.lnk
Download: download sample
Signature Vidar
Create hunting rule
File size:7'390 bytes
First seen:2024-03-27 19:50:21 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8WYaN/mCryK2jvd4pyA4kr+/47u+nQ6Zuidd79dsvaab/BiTKmE:8WYaZmCOKuduQ10ldJ9labBkK
TLSH T10DE137162FE50735F3F30D771836A6119A77F858DD55EB2E018041881872701E8B4F7B
Reporter rmceoin
Tags:lnk vidar


Avatar
rmceoin
91.92.250.123/Downloads/Rechnung.pdf.lnk
Machine identifier: win-8oa3ccqae4d
LNK -> mshta https://docshare.site/2/rechnungvertrag -> https://docshare.site/2/Esp.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
US US
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/f2c3f2034f72bcf0d93e56925be2b33aba07b33be026b65a9776b72e30bf9d69/results/dashboard
Payload URLs
URL
File name
https://docshare.site/2/rechnungvertrag
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
forfiles lolbin lolbin masquerade mshta shell32
Link:
https://www.filescan.io/uploads/660478a8f7095ca3446d5d46/reports/86b148f6-2d7f-44d0-9e13-c37057a2a731/overview
Verdict:
Malicious
Labled as:
DangerousPassword.Lazarus.D.0674201C;Generic.DangerousPassword.Lazarus.D.Generic
Link:
https://www.hybrid-analysis.com/sample/f2c3f2034f72bcf0d93e56925be2b33aba07b33be026b65a9776b72e30bf9d69
Result
Verdict:
MALICIOUS
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1416731
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found URL in windows shortcut file (LNK)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416731 Sample: Rechnung.pdf.lnk Startdate: 27/03/2024 Architecture: WINDOWS Score: 100 86 docshare.site 2->86 88 steamcommunity.com 2->88 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus detection for URL or domain 2->100 102 11 other signatures 2->102 13 forfiles.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 124 Windows shortcut file (LNK) starts blacklisted processes 13->124 19 powershell.exe 7 13->19         started        22 conhost.exe 1 13->22         started        82 127.0.0.1 unknown unknown 16->82 signatures6 process7 signatures8 104 Powershell drops PE file 19->104 24 mshta.exe 16 19->24         started        process9 dnsIp10 94 docshare.site 185.196.8.158, 443, 49699, 49702 SIMPLECARRER2IT Switzerland 24->94 74 C:\Users\user\AppData\...\rechnungvertrag[1], PE32 24->74 dropped 118 Windows shortcut file (LNK) starts blacklisted processes 24->118 120 Suspicious powershell command line found 24->120 122 Very long command line found 24->122 29 powershell.exe 17 18 24->29         started        file11 signatures12 process13 file14 80 C:\Users\user\AppData\Roamingsp.exe, PE32 29->80 dropped 32 Esp.exe 50 29->32         started        35 Acrobat.exe 18 73 29->35         started        37 conhost.exe 29->37         started        process15 file16 58 C:\Users\user\AppData\Local\Temp\sp.dll, PE32 32->58 dropped 60 C:\Users\user\AppData\Local\Temp\sn.dll, PE32+ 32->60 dropped 62 C:\Users\user\AppData\Local\...\pxn9zstY.exe, PE32 32->62 dropped 64 45 other malicious files 32->64 dropped 39 pxn9zstY.exe 3 32->39         started        42 AcroCEF.exe 104 35->42         started        process17 signatures18 114 Maps a DLL or memory area into another process 39->114 116 Found direct / indirect Syscall (likely to bypass EDR) 39->116 44 ftp.exe 39->44         started        48 AcroCEF.exe 2 42->48         started        process19 dnsIp20 76 C:\Users\user\AppData\...\bcivxqipxnwkfv, PE32 44->76 dropped 78 C:\Users\user\AppData\Local\Temp\Visa.au3, PE32 44->78 dropped 126 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->126 128 Writes to foreign memory regions 44->128 130 Found hidden mapped module (file has been removed from disk) 44->130 132 Maps a DLL or memory area into another process 44->132 51 Visa.au3 44->51         started        56 conhost.exe 44->56         started        84 23.56.8.145, 443, 49712 AKAMAI-ASUS United States 48->84 file21 signatures22 process23 dnsIp24 90 78.46.229.36, 443, 49721, 49722 HETZNER-ASDE Germany 51->90 92 steamcommunity.com 104.105.90.131, 443, 49720 AKAMAI-ASUS United States 51->92 66 C:\Users\user\AppData\Local\...\sqlm[1].dll, PE32 51->66 dropped 68 C:\Users\user\AppData\...\softokn3[1].dll, PE32 51->68 dropped 70 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 51->70 dropped 72 10 other files (none is malicious) 51->72 dropped 106 Detected unpacking (creates a PE file in dynamic memory) 51->106 108 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 51->108 110 Found many strings related to Crypto-Wallets (likely being stolen) 51->110 112 6 other signatures 51->112 file25 signatures26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2c3f2034f72bcf0d93e56925be2b33aba07b33be026b65a9776b72e30bf9d69/
Threat name:
Shortcut.Dropper.DangerousPasswordLazarus
Create hunting rule
Status:
Malicious
First seen:
2024-03-27 19:51:05 UTC
File Type:
Binary
AV detection:
7 of 23 (30.43%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lb7ea2pok6pbwj6k2jfxyvthk5apmz34atlmwuxo23s4mf7tvuq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/240327-yks25sdh5y/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
https://docshare.site/2/rechnungvertrag
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2c3f2034f72bcf0d93e56925be2b33aba07b33be026b65a9776b72e30bf9d69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Vidar

Shortcut (lnk) lnk f2c3f2034f72bcf0d93e56925be2b33aba07b33be026b65a9776b72e30bf9d69

(this sample)

Vidar

Executable exe f42b5d3c7f9df937aa85838dd67cfe03844b2fb0d912e5c753b1e5a7aa75f3f0

Vidar

Executable exe e47a373b0463000b4c72191a862ff11400887a5b86889620b56d00640eadb783

  
Dropping
SHA256 e47a373b0463000b4c72191a862ff11400887a5b86889620b56d00640eadb783
  
Dropping
MD5 22d1f82cae9c0e2617dbba49d56b651b

Comments