MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a6f93275e034d3b2783e52a4c6a1346e2e0cfdc65fa5dc1d01e5b1a89748c9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a6f93275e034d3b2783e52a4c6a1346e2e0cfdc65fa5dc1d01e5b1a89748c9e
SHA3-384 hash: 2b5c10b3e925a5262600ccc16c88bc60a399b3ae916d0f971c471492a2e37b3d2245b86bcdbdf9e76ac3b138eae33342
SHA1 hash: 242ad170effa1d4573199f369da4d046a3a0065a
MD5 hash: cabd619cc67656cc074ea426b8c1099d
humanhash: wyoming-blue-batman-hydrogen
File name:SecuriteInfo.com.Win64.MalwareX-gen.24876.19753
Download: download sample
Signature Vidar
Create hunting rule
File size:970'280 bytes
First seen:2025-06-18 09:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 560b325af86221ca0e2edab33d472094 (6 x LummaStealer, 3 x Vidar, 2 x Stealc)
ssdeep 12288:wYqCVwv5B33t+SEH4g/dGfHqZULN4lCSeSr5eWSuZLUNElCr5eWSuZLUNElDEO:wYqj5J3u4giqwaI0opI0oyt
TLSH T17E25E069A26163FAED6B40B884526251B932B86687346FFF43D0D6332F137C15E7E324
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
492
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
250618-fxwdxsxxez.bin
Verdict:
Malicious activity
Analysis date:
2025-06-18 09:14:18 UTC
Tags:
amadey botnet stealer loader unlocker-eject tool rdp arch-exec auto-reg lumma evasion telegram auto vidar stealc smokeloader gcleaner
Link:
https://app.any.run/tasks/ff377fb6-5448-4926-bdbd-7dce189da7a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10001/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685286d892749758d028bfcb
Tags:
injection virus agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0a6f93275e034d3b2783e52a4c6a1346e2e0cfdc65fa5dc1d01e5b1a89748c9e
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1dc3c6dd-3d25-48d9-85d9-27d6fbc336af
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1717305
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Contains functionality to detect sleep reduction / modifications
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717305 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 18/06/2025 Architecture: WINDOWS Score: 100 89 9.20.storysaverr.app 2->89 91 t.me 2->91 93 6 other IPs or domains 2->93 121 Suricata IDS alerts for network traffic 2->121 123 Found malware configuration 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 10 other signatures 2->127 10 SecuriteInfo.com.Win64.MalwareX-gen.24876.19753.exe 1 2->10         started        13 msedge.exe 2->13         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 137 Writes to foreign memory regions 10->137 139 Allocates memory in foreign processes 10->139 141 Injects a PE file into a foreign processes 10->141 18 MSBuild.exe 45 10->18         started        22 conhost.exe 10->22         started        113 192.168.2.5, 138, 443, 49675 unknown unknown 13->113 115 239.255.255.250 unknown Reserved 13->115 24 msedge.exe 13->24         started        27 msedge.exe 13->27         started        29 msedge.exe 13->29         started        31 msedge.exe 13->31         started        signatures6 process7 dnsIp8 95 9.20.storysaverr.app 78.47.23.141, 443, 49691, 49692 HETZNER-ASDE Germany 18->95 97 t.me 149.154.167.99, 443, 49690 TELEGRAMRU United Kingdom 18->97 99 127.0.0.1 unknown unknown 18->99 129 Attempt to bypass Chrome Application-Bound Encryption 18->129 131 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->131 133 Found many strings related to Crypto-Wallets (likely being stolen) 18->133 135 7 other signatures 18->135 33 powershell.exe 22 18->33         started        37 msedge.exe 18->37         started        39 powershell.exe 18->39         started        41 26 other processes 18->41 101 104.40.82.182, 443, 49762, 49775 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->101 103 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49735, 49766 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->103 105 34 other IPs or domains 24->105 77 C:\Users\user\AppData\Local\...\Cookies, SQLite 24->77 dropped file9 signatures10 process11 file12 73 C:\Users\user\AppData\...\ymgdmku5.cmdline, Unicode 33->73 dropped 117 Compiles code for process injection (via .Net compiler) 33->117 43 csc.exe 3 33->43         started        46 conhost.exe 33->46         started        119 Monitors registry run keys for changes 37->119 48 msedge.exe 37->48         started        75 C:\Users\user\AppData\Local\...\4bhtzpzv.0.cs, Unicode 39->75 dropped 50 csc.exe 39->50         started        52 conhost.exe 39->52         started        54 chrome.exe 41->54         started        57 csc.exe 41->57         started        59 csc.exe 41->59         started        61 14 other processes 41->61 signatures13 process14 dnsIp15 79 C:\Users\user\AppData\Local\...\ymgdmku5.dll, PE32 43->79 dropped 63 cvtres.exe 43->63         started        81 C:\Users\user\AppData\Local\...\4bhtzpzv.dll, PE32 50->81 dropped 65 cvtres.exe 50->65         started        107 plus.l.google.com 142.250.65.206, 443, 49713 GOOGLEUS United States 54->107 109 ogads-pa.clients6.google.com 142.250.80.106, 443, 49712, 49715 GOOGLEUS United States 54->109 111 3 other IPs or domains 54->111 83 C:\Users\user\AppData\Local\...\pcdp3h3n.dll, PE32 57->83 dropped 67 cvtres.exe 57->67         started        85 C:\Users\user\AppData\Local\...\mgspzov2.dll, PE32 59->85 dropped 69 cvtres.exe 59->69         started        87 C:\Users\user\AppData\Local\...\cwsfidzd.dll, PE32 61->87 dropped 71 cvtres.exe 61->71         started        file16 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0a6f93275e034d3b2783e52a4c6a1346e2e0cfdc65fa5dc1d01e5b1a89748c9e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a6f93275e034d3b2783e52a4c6a1346e2e0cfdc65fa5dc1d01e5b1a89748c9e/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/0a6f93275e034d3b2783e52a4c6a1346e2e0cfdc65fa5dc1d01e5b1a89748c9e
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-06-18 09:01:04 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjxzgj26angtwj4d4uvey2qti3robt64mx5f3qoqdznrvclurspa._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:134a99af84d89e52fd8ed41f0b105a0b defense_evasion discovery stealer
Link:
https://tria.ge/reports/250618-le4v8syyew/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Obfuscated Files or Information: Command Obfuscation
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/wm33in
https://steamcommunity.com/profiles/76561199867001399
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/00f029ec-4e3f-48a8-ad34-8e581e9ef977
Unpacked files
SH256 hash:
0a6f93275e034d3b2783e52a4c6a1346e2e0cfdc65fa5dc1d01e5b1a89748c9e
MD5 hash:
cabd619cc67656cc074ea426b8c1099d
SHA1 hash:
242ad170effa1d4573199f369da4d046a3a0065a
Link:
https://www.unpac.me/results/6ba12eaa-c3f1-43d0-8876-0b5732861de1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a6f93275e034d3b2783e52a4c6a1346e2e0cfdc65fa5dc1d01e5b1a89748c9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 0a6f93275e034d3b2783e52a4c6a1346e2e0cfdc65fa5dc1d01e5b1a89748c9e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/10001/
  
URLhaus
https://urlhaus.abuse.ch/url/3567797/
  
Delivery method
Distributed via web download

Comments