MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb46f514e4855f599b2ec64c446379333f40be5d2181a7397acd67223bd1bc4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	fb46f514e4855f599b2ec64c446379333f40be5d2181a7397acd67223bd1bc4d
SHA3-384 hash:	7d2968741e23b44b7036377afc5e2d4e2d2f4a3069da0d86b68d7966969d7adecf2cf6a721e98a21a65ed2b9b1c0a122
SHA1 hash:	e407a9f8667c79c51657bcb06b14d079a40cfbc8
MD5 hash:	14771ea3ee101e3f63af272f23696ebb
humanhash:	eight-gee-ohio-utah
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	1'178'848 bytes
First seen:	2023-10-27 01:37:58 UTC
Last seen:	2023-10-27 21:41:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	71cf2569222413220257b218ceff6838 (2 x Smoke Loader, 2 x Vidar)
ssdeep	24576:tpmgXV3hrOtexdgk/KSgbH6RmtNzeu8PndVhVTOF/KIdSUD94M:Lmc5hrOtevYjbH60tNAPd30/KId79d
Threatray	13 similar samples on MalwareBazaar
TLSH	T1304533AE2E8D7208CF5A7B30CB7B017444A11F85C2E0CB57A75DDAC79D0321D6A76E4A
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe signed vidar

Code Signing Certificate

Organisation:	Microsoft Code Signing PCA 2011
Issuer:	Microsoft Code Signing PCA 2011
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-10-27T01:19:44Z
Valid to:	2024-10-27T01:19:44Z
Serial number:	617fdaa9b309c737c4d50170c4c8d30f
Thumbprint Algorithm:	SHA256
Thumbprint:	c582195203b8a4b977cce0b2e9c25d2aa665c6e181fdf5c62407854fc7c12f5f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://171.22.28.221/files/Ads.exe

Intelligence

File Origin

# of uploads :

# of downloads :

406

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://foodremit.com/wp-download/server/File.7z

Verdict:

Malicious activity

Analysis date:

2023-10-27 13:20:33 UTC

Tags:

sinkhole privateloader evasion opendir loader risepro stealer redline stealc ransomware stop smoke arkei vidar rat backdoor dcrat remote miner teamspy

Link:

https://app.any.run/tasks/405aa20d-2e83-4a88-b577-04b002e0b44d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/456642/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.23742.9910.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Connecting to a non-recommended domain

Sending an HTTP GET request

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% subdirectories

Creating a window

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Using the Windows Management Instrumentation requests

Creating a service

Running batch commands

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun for a service

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Enabling autorun by creating a file

Adding an exclusion to Microsoft Defender

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug hacktool overlay packed packed packed upx

Link:

https://www.filescan.io/uploads/653b147a34de31f579cbe168/reports/7235b4af-4c47-4f8d-966e-ca768f9b037f/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/fb46f514e4855f599b2ec64c446379333f40be5d2181a7397acd67223bd1bc4d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/17f97b9d-56b6-4422-9174-2208ce5ddba3

Score:

83%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fb46f514e4855f599b2ec64c446379333f40be5d2181a7397acd67223bd1bc4d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fb46f514e4855f599b2ec64c446379333f40be5d2181a7397acd67223bd1bc4d/

Threat name:

Win64.Trojan.Znyonm

Status:

Malicious

First seen:

2023-10-27 01:38:06 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 23 (60.87%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ndpkfheqvpvtgzoyzgeiy3zgm7ubps5ega2ool2zvtseo6rxrgq._file

Verdict:

unknown

Vidar

206004034a63418c586b4ef2795a92fdca32ecc001df9d58fcab4fd984eca3d0

Vidar

3d04a3dba672f406e3d4767cda713716bb926acc0a6298ad1bd1d7908ac5c634

Vidar

4520e200bd01f6ffd786172f0b6d482510e8367055cf7082ab455b61554a0e32

Vidar

5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a

Vidar

71e7386e8129da10222a7af399561b240b0d9ae7507f87d9ee6d57b2dda57ef9

Vidar

71e9af5f139c8743a53390345e7f19199b17892955f0d4607340d7b651ac869d

Vidar

cdd242949c27e36165097665a7c381247579401853b06e88d2e430b55e115105

Vidar

fc05a007f7b6a6e4a69f15f1a31822957f3aae14a81e01e7c6eb9ceac0835a3b

Vidar

+ 3 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:dcrat family:glupteba family:smokeloader family:vidar botnet:ecfea5e785cf6eb1f47a5865492bbbb3 botnet:pub1 backdoor discovery dropper evasion infostealer loader rat spyware stealer trojan upx

Link:

https://tria.ge/reports/231027-b2dmfsah8y/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops file in Program Files directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks installed software on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

DcRat

Glupteba

Glupteba payload

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199564671869
https://t.me/scubytale
http://host-file-host6.com/
http://host-host-file8.com/

Unpacked files

SH256 hash:

c0d16c86f013f79beeb18c4d6b8054f8abf45fcb85a009a7760b83dc3bac12af

MD5 hash:

da209ebbb1e73dee6fbe33e9cdb27e19

SHA1 hash:

319a543126250c9140d939a928d13f2a96b3a3c9

Link:

https://www.unpac.me/results/88582e5b-db06-4601-b7fe-7d26be6694bc/

SH256 hash:

fb46f514e4855f599b2ec64c446379333f40be5d2181a7397acd67223bd1bc4d

MD5 hash:

14771ea3ee101e3f63af272f23696ebb

SHA1 hash:

e407a9f8667c79c51657bcb06b14d079a40cfbc8

Link:

https://www.unpac.me/results/88582e5b-db06-4601-b7fe-7d26be6694bc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fb46f514e485/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2721934/

Cape

https://www.capesandbox.com/analysis/456642/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample