MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7
SHA3-384 hash:	f6349c72edf47b33a901866de406ae09522f9c58b92a988e2c235462485ceb37b13f4610b29c1ce96c9ff6351af322d6
SHA1 hash:	d57fd824ac54082312dcc23d2bca61e4d98f6065
MD5 hash:	e23c839edb489081120befe1e44b04db
humanhash:	may-bakerloo-table-michigan
File name:	build2.exe
Download:	download sample
Signature	Vidar Alert Create hunting rule
File size:	308'736 bytes
First seen:	2023-12-21 05:19:13 UTC
Last seen:	2023-12-23 23:51:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	24a8ecd73626ea109270e4a29851c3b1 (1 x Vidar)
ssdeep	6144:ZjLaN58Awvxfc4Y5YC/j8o74UhOfu8HV/7:tGN5xqtc4Yp/j8o1hUuOF
TLSH	T107642B5393E17E54E626CB729E2EC6F8B71EF5108F19376A5229AE1F04B05B2C1B3710
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1030d09030381800 (1 x Vidar)
Reporter	adm1n_usa32
Tags:	exe vidar

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

340

Origin country :

RO

Vendor Threat Intelligence

ANY.RUN guloader

Malware family:

guloader

Alert

Create hunting rule

ID:

1

File name:

New Text Document mod.exse

Verdict:

Malicious activity

Analysis date:

2023-12-20 06:34:05 UTC

Tags:

opendir loader guloader purplefox backdoor stealer redline vodkagats ransomware stop dupzom trojan formbook spyware agenttesla amadey botnet originbotnet remote rat gh0st stealc evasion redosdru kelihos risepro vidar socks5systemz proxy raccoonclipper lumma nitol xloader metasploit arechclient2

Link:

https://app.any.run/tasks/e24d52c8-0724-48c1-8a91-590e9680452f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468732/

ClamAV Detected

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Alert

Create hunting rule

Win.Trojan.Mokes-10017068-0

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6583cb03b855eb3693ea56e3/reports/294b5d11-4c08-4a05-aed9-f4aba934cbd0/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9b4a8149-3f2a-4b1c-bf69-f9e5b6400cec

Joe Sandbox Vidar

Result

Threat name:

Vidar

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1365427

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM3

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7

CERT.PL MWDB vidar

Detection:

vidar

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7/

ReversingLabs TitaniumCloud Win32.Trojan.SmokeLoader

Threat name:

Win32.Trojan.SmokeLoader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-18 21:28:28 UTC

File Type:

PE (Exe)

Extracted files:

59

AV detection:

23 of 23 (100.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=62hxh2jtaibfoxteo3rx5vn7vii2kk72ytisjddp5zlcr4l4bt3q._file

Threatray malicious

Verdict:

malicious

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://tria.ge/reports/231221-f1ewcaadf2/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

UnpacMe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Unpacked files

SH256 hash:

62c207861787d94784d7dffa7f69b07cae808aa5194f13593fcb812b1fd492cf

MD5 hash:

b74be351d037eaa9be735ae6e04f1e0a

SHA1 hash:

20e705559c4e8f005b20a3cc8fd28f555136df11

Detections:

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Alert

Create hunting rule

Link:

https://www.unpac.me/results/5e905272-88c2-446a-9839-09e3dcd7a86a/

SH256 hash:

f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7

MD5 hash:

e23c839edb489081120befe1e44b04db

SHA1 hash:

d57fd824ac54082312dcc23d2bca61e4d98f6065

Link:

https://www.unpac.me/results/5e905272-88c2-446a-9839-09e3dcd7a86a/

VMRay Vidar.A

Malware family:

Vidar.A

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f68f73e93302/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7

(this sample)

Cape

https://www.capesandbox.com/analysis/468732/

  

URLhaus

https://urlhaus.abuse.ch/url/2743124/

  

Delivery method

Distributed via web download