MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2
SHA3-384 hash: d584ef2804cac7523d1ec638a47cb254e6a1420345efb535f0e8ae7a7d9508180c4089c3ea2c89b48d0f45e37fc7686d
SHA1 hash: 97d31d2f10040ab57c0d05b6bb37330e193b85a7
MD5 hash: 7109771c9fc693cb0cb5e6e9a3b07a08
humanhash: angel-football-four-carpet
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:2'382'848 bytes
First seen:2025-09-24 04:07:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:yQETWPSeG/QRwTPON9KS6HpKMM37TX7WQ/rG9djIFlyaQ:oqQ/ywLzxNM37TrWg44lya
TLSH T14AB533ADFE622ED3CDACD8B66C8916080B783512C74766EF2D01C57A0AF5F74297B085
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe vidar


Avatar
Bitsight
url: http://178.16.54.200/vidar/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-09-24 04:24:26 UTC
Tags:
stealc stealer vidar
Link:
https://app.any.run/tasks/e0337d1f-5e9f-4d5d-a729-1545b5190a4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28731/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d53cfecc9425144151cbdf
Tags:
virus spawn sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68d36ea3c24f53840f2fe03b/reports/ba473dba-fdc8-41f5-a1ef-2a72dd1d722d/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-24T01:55:00Z UTC
Last seen:
2025-09-24T01:55:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Vidar.sb Trojan-PSW.Win32.Stealerc.sb HEUR:Trojan.Win64.Agent.gen Trojan-PSW.Win32.Stealerc.rnk Trojan-PSW.Stealerc.TCP.C&C Trojan-PSW.Stealerc.HTTP.C&C
Link:
https://opentip.kaspersky.com/0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/02d9b310-155f-475b-a5db-aa30be8eda34
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/7109771c9fc693cb0cb5e6e9a3b07a08
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-24 04:08:29 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ayakdcmh6gbn73nk77xtwuu353uezgdpmodrxycxkni2d3e7m7ba._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/250924-ep9e5s1xdw/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Checks BIOS information in registry
Reads user/profile data of web browsers
Uses browser remote debugging
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0bf25e9e-5d35-4d71-bd8a-720e9ae49520
Unpacked files
SH256 hash:
0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2
MD5 hash:
7109771c9fc693cb0cb5e6e9a3b07a08
SHA1 hash:
97d31d2f10040ab57c0d05b6bb37330e193b85a7
Link:
https://www.unpac.me/results/0cb690a3-6ad7-4d68-a3a6-0e17a9ddc7f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 0600a18987f182dfedaaffef3b529beee84c986f63871be0575351a1ec9f67c2

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28731/
  
URLhaus
https://urlhaus.abuse.ch/url/3629695/

Comments