MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e
SHA3-384 hash: 240e7474721358b29f368838188e8e4f04e02934117f1e0dc858b4683f6e66c2b96cd20f8314b265e2d4e38b97fda129
SHA1 hash: 1e842fc334ccd5bb40c0fa42dd7757cfc0edcb37
MD5 hash: fc3f37a9681df1eb1a82da8e93eaaa0b
humanhash: wyoming-hot-failed-mountain
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:184'832 bytes
First seen:2025-12-19 05:02:56 UTC
Last seen:2025-12-22 19:24:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 31e06ec6723bcc3b75c69a4521e4b8f5 (53 x Vidar)
ssdeep 3072:reQ5lhR5c/AzSv6e8SvbnZ+bdMqqU+krtHdlGutts9JnjZS4sRn17K4XyiiH4u0p:N5lKA6bZ+X9lG5fntSHRn1yiiXNsh2zG
TLSH T15304128A9AD7A489C5552EBE7490B846D7C5D308F320C335BF2F82E236AD544DB173A8
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 UPX vidar


Avatar
Bitsight
url: http://178.16.55.189/files/1103877553/3rVjDhx.exe
File size (compressed) :184'832 bytes
File size (de-compressed) :462'848 bytes
Format:win64/pe
Unpacked file: a223410536fd8cb0ef4412853a5c3410a5a5a413daf42d0add1c37a2a7e32189

Intelligence

File Origin
# of uploads :
14
# of downloads :
119
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/181ca49a-8985-45bb-913f-2374c0b20404/
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-12-19 05:03:47 UTC
Tags:
stealer stealc vidar xor-url generic upx
Link:
https://app.any.run/tasks/884dd6ed-f85a-431d-aec8-3693ab7eeb49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45479/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.86789797.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6944dc9a4d2b81828c3b99a4
Tags:
ransomware obfuscated emotet remo
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypter crypto fingerprint hacktool infostealer obfuscated packed packed packed upx vidar
Link:
https://www.filescan.io/uploads/6944dc98e126b9ff43882843/reports/6f08bfa9-ccc9-449a-a8f8-330acb5608b9/overview
Verdict:
Malicious
Labled as:
HVM:TrojanDownloader/Lotok.ds
Link:
https://www.hybrid-analysis.com/sample/0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-19T02:14:00Z UTC
Last seen:
2025-12-20T12:48:00Z UTC
Hits:
~100
Detections:
VHO:Trojan-PSW.Win32.Convagent.gen UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a21b0655-43ea-4fa9-8370-b8f48cf4eec6
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/fc3f37a9681df1eb1a82da8e93eaaa0b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e
Threat name:
Win64.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2025-12-19 05:03:21 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=boyo6ae2tvrmx6nlf2erhynl6im3vse7u3o7unglfaphbvv57sha._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar defense_evasion discovery spyware stealer trojan upx
Link:
https://tria.ge/reports/251223-p7y28szkgz/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Windows directory
UPX packed file
Checks installed software on the system
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Detects Vidar Stealer
Vidar
Vidar family
Verdict:
Malicious
Tags:
Stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/c3d931c8-ac85-4702-87cf-e0eebcd02d7c
Unpacked files
SH256 hash:
0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e
MD5 hash:
fc3f37a9681df1eb1a82da8e93eaaa0b
SHA1 hash:
1e842fc334ccd5bb40c0fa42dd7757cfc0edcb37
Link:
https://www.unpac.me/results/7b6121d5-4157-428d-892d-c0a59ae11fbe/
SH256 hash:
a223410536fd8cb0ef4412853a5c3410a5a5a413daf42d0add1c37a2a7e32189
MD5 hash:
055c20fe5638b3579d8708e4b35f1fd9
SHA1 hash:
3727c41dd0c37ddc6dcd81b1502749e873424861
Detections:
win_bazarbackdoor_auto
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
SUSP_XORed_Mozilla
Create hunting rule
Link:
https://www.unpac.me/results/7b6121d5-4157-428d-892d-c0a59ae11fbe/
Parent samples :
0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e
a223410536fd8cb0ef4412853a5c3410a5a5a413daf42d0add1c37a2a7e32189
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0bb0ef009a9d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_bazarbackdoor_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bazarbackdoor.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 0bb0ef009a9d62cbf9ab2e8913e1abf219bac89fa6ddfa34cb281e70d6bdfc8e

(this sample)

Vidar

Executable exe a223410536fd8cb0ef4412853a5c3410a5a5a413daf42d0add1c37a2a7e32189

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3736848/
Cape
Cape
https://www.capesandbox.com/analysis/45479/
  
Dropping
SHA256 a223410536fd8cb0ef4412853a5c3410a5a5a413daf42d0add1c37a2a7e32189
  
Dropping
MD5 055c20fe5638b3579d8708e4b35f1fd9

Comments