MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6a6a6302de70532c15f94eaa972167b0a2e1f72a16885d81a35af4d1c6ce705. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6a6a6302de70532c15f94eaa972167b0a2e1f72a16885d81a35af4d1c6ce705
SHA3-384 hash: 0e551c202381f27d4a6670b0815c5cceb6c59025813b78f4e560c560e8d667a536e1c9c4e4be8d0a34be97776b2fe712
SHA1 hash: 56b5495aa6fd1d0543aa6ef47783283e7769bf37
MD5 hash: 0088c0508f8aa299bea991f6dd9cc946
humanhash: eight-green-texas-hotel
File name:SecuriteInfo.com.Win32.TrojanX-gen.9705.24847
Download: download sample
Signature Vidar
Create hunting rule
File size:931'172 bytes
First seen:2024-01-29 23:25:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 13cabf02ac946361a6c830226d28bc4e (1 x Vidar, 1 x RiseProStealer)
ssdeep 12288:bN2yjPHFnG2o43Grsv0/4kmOxEgk95cLPtm9Of9cHrQP6JRUf13qKO4fBjfv4iJn:bIAH+xI0/vVGtmtgQARO3qnSfVERo
TLSH T18715F110A501943BF8B704B7CEFFD92D5A196660070560DB67C819BEDFAEAE37A30217
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 0000101001808000 (1 x Vidar)
Reporter SecuriteInfoCom
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
ramnit
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-01-30 00:02:02 UTC
Tags:
hausbomber opendir loader ramnit trojan asyncrat stealer stealc raccoon amadey botnet vidar evasion phorpiex gh0stcringe gh0st remote rat neoreklami kelihos redline miner quasar risepro socks5systemz proxy
Link:
https://app.any.run/tasks/4b10e174-01e2-4229-84ad-218c24ee600b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473513/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.9705.24847.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Moving a file to the %temp% subdirectory
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint hook installer keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65b8340e096abd9a02737b98/reports/d172ef25-d24f-4583-9dd3-4bd131f4bd5a/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/f6a6a6302de70532c15f94eaa972167b0a2e1f72a16885d81a35af4d1c6ce705
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4559604-b9d0-4c65-87c5-34f01c23e1a0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383042
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1383042 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 30/01/2024 Architecture: WINDOWS Score: 100 38 zrKFkcOxPLs.zrKFkcOxPLs 2->38 40 t.me 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected AntiVM3 2->46 48 3 other signatures 2->48 8 SecuriteInfo.com.Win32.TrojanX-gen.9705.24847.exe 11 2->8         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\Detection, PE32 8->32 dropped 56 Contains functionality to register a low level keyboard hook 8->56 12 cmd.exe 1 8->12         started        15 conhost.exe 8->15         started        signatures6 process7 signatures8 58 Uses ping.exe to sleep 12->58 60 Drops PE files with a suspicious file extension 12->60 62 Uses ping.exe to check the status of other devices and networks 12->62 17 Alcohol.pif 28 12->17         started        22 cmd.exe 2 12->22         started        24 cmd.exe 2 12->24         started        26 7 other processes 12->26 process9 dnsIp10 34 t.me 149.154.167.99, 443, 49714 TELEGRAMRU United Kingdom 17->34 36 116.202.4.242, 2271, 49715, 49717 HETZNER-ASDE Germany 17->36 28 C:\Users\user\AppData\Local\...\sqlx[1].dll, PE32 17->28 dropped 50 Found API chain indicative of sandbox detection 17->50 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->52 54 Tries to harvest and steal browser information (history, passwords, etc) 17->54 30 C:\Users\user\AppData\Local\...\Alcohol.pif, PE32 22->30 dropped file11 signatures12
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f6a6a6302de70532c15f94eaa972167b0a2e1f72a16885d81a35af4d1c6ce705
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6a6a6302de70532c15f94eaa972167b0a2e1f72a16885d81a35af4d1c6ce705/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 23:26:06 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=62tkmmbn44ctfqk7stvks4qwpmfc4h3sufuilwa2gwxu2hdm44cq._file
Verdict:
unknown
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:d9740d99d75726b6a8bfe28260c25be7 stealer
Link:
https://tria.ge/reports/240129-3ettpsedhm/
Behaviour
Enumerates processes with tasklist
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://t.me/tvrugrats
https://steamcommunity.com/profiles/76561199627279110
Unpacked files
SH256 hash:
6ff96caa59d201c0220f26ad4975e74d33609f40e3ab92c20319d61378dc58a6
MD5 hash:
20f604254ac33371c95d4bcbefa105ca
SHA1 hash:
53f75aceae6a0af73830a1095a73353eb2a2cd18
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/9ffd5ae3-5c11-4ae6-8e94-507875f76dc2/
SH256 hash:
f6a6a6302de70532c15f94eaa972167b0a2e1f72a16885d81a35af4d1c6ce705
MD5 hash:
0088c0508f8aa299bea991f6dd9cc946
SHA1 hash:
56b5495aa6fd1d0543aa6ef47783283e7769bf37
Link:
https://www.unpac.me/results/9ffd5ae3-5c11-4ae6-8e94-507875f76dc2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f6a6a6302de7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6a6a6302de70532c15f94eaa972167b0a2e1f72a16885d81a35af4d1c6ce705

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe f6a6a6302de70532c15f94eaa972167b0a2e1f72a16885d81a35af4d1c6ce705

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2753211/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473513/

Comments