MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f54a2c74fd7fc447eae84474498021e4030540c7dbc03f95dab24b63fbb6eee2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f54a2c74fd7fc447eae84474498021e4030540c7dbc03f95dab24b63fbb6eee2
SHA3-384 hash: e13a74157983318be8ea35bdaa5afe9045f3eaf5fc9014a838041b73e801f9d9f908c2becbf13b62a005afc2313f4583
SHA1 hash: ad6a1d90df8152524ea2362af50b3e3f262ce647
MD5 hash: 30955b03c283564d84db9af01323f87f
humanhash: undress-emma-december-alabama
File name:0x000b00000001273a62.dat
Download: download sample
Signature Vidar
Create hunting rule
File size:3'041'280 bytes
First seen:2023-05-18 13:41:50 UTC
Last seen:2023-05-18 13:52:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4aa3647b400100a0104f84ea9581696d (1 x Vidar)
ssdeep 49152:1/ynDP9CkbPBzS7ULCbGyDboE8wrupidLNDNVeC1T5nY5tHfswXNWoUr3EHDMYCw:k5pDBzS7UL+G3q5V7y5JB9WBUHIYCpsT
Threatray 198 similar samples on MalwareBazaar
TLSH T18CE52311B744C037F6A2043A8FE5AFB3151C6CB2171624CFF3A426AE2DB06E56A75787
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JaffaCakes118
Tags:vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
62
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
ac9b826b0329458eaad2ccb3fafcd7ff
Verdict:
Malicious activity
Analysis date:
2023-05-15 22:31:38 UTC
Tags:
rat redline evasion
Link:
https://app.any.run/tasks/ae650917-0996-42e9-a9f2-208aee31da31

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Ser.Zusy.3970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm crypto exploit greyware packed
Link:
https://www.filescan.io/uploads/64662b5a38913caea15d3619/reports/4da749fa-cb0b-4ffa-b2d5-11e32c40f843/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/f54a2c74fd7fc447eae84474498021e4030540c7dbc03f95dab24b63fbb6eee2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/445721f4-f82d-48c4-b268-29e3395376ba
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237359
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f54a2c74fd7fc447eae84474498021e4030540c7dbc03f95dab24b63fbb6eee2/
Threat name:
Win32.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 22:31:09 UTC
File Type:
PE (Exe)
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vfcy5h5p7cep2xiir2etabb4qbqkqgh3pad7fo2wjfwh65w53ra._file
Verdict:
malicious
Similar samples:
0b51b2819a128abdfab0006900667b5e05329aa0416445c43db76e2f503b92ff
Vidar
1e42d63ed11929379e5739414c944bc755fb2e212eb475777de4a7e0ef54c517
Vidar
2068c94f118c1921f4333d97935e35ce175803820c44444277563fe0f82398fb
Vidar
331952066aee8437403773b213a4b7ebee56e905929e86432c4a7623f05ac79a
Vidar
4311ebed531b92938b18b79d3982cfe8d48c5d395113ebc13aa25f4f29f1e211
Vidar
5651cc4a142270f16a9c282e4b06073e960cf3e00896115cacd890dc2531d1d5
Vidar
afd33d4aa80a47b1cf9bb0ea15ba7cedee6dbd453aca2c7bce5fa59d04143363
Vidar
d481da91692bf781cefe21ee5fbc3b22423df3370284c0d591959334b5185a06
Vidar
ee5e1cf8922e2c866beb155a2227d47e98bf31e35507ee135a7c8b1f9a3413ba
Vidar
fee5e202497ecf3e0f2d829f11afe55c8c7f525cd08bf1d570a96e226bb0bdca
Vidar
+ 188 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:c67d16317758867576bd28c19d9721ba discovery spyware stealer
Link:
https://tria.ge/reports/230518-qzse6abc24/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199263069598
https://t.me/cybehost
Unpacked files
SH256 hash:
f54a2c74fd7fc447eae84474498021e4030540c7dbc03f95dab24b63fbb6eee2
MD5 hash:
30955b03c283564d84db9af01323f87f
SHA1 hash:
ad6a1d90df8152524ea2362af50b3e3f262ce647
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/cf1bdfce-353d-4dea-839d-42c71afe0ad3/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f54a2c74fd7f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f54a2c74fd7fc447eae84474498021e4030540c7dbc03f95dab24b63fbb6eee2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments