MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2
SHA3-384 hash: ab9fbca78ed82f233b93ee8f43dfad33e4f8340793ae1650b579112a8a07d656a5f39d05e0748c046766acd358e7f442
SHA1 hash: 7840e6d54a793406bd30094a5079aaefca3912c1
MD5 hash: 72a8f0efa1ecb4725a9b2f52eda87a07
humanhash: xray-delaware-mobile-yankee
File name:RivalMods.msi
Download: download sample
Signature Vidar
Create hunting rule
File size:40'960 bytes
First seen:2026-02-01 20:17:18 UTC
Last seen:2026-02-01 21:23:01 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 384:ni7Xl1nGlJ9/Jyy3M5sChx5Pyy3M5sC0qoXgnfiZtOfkoz6uViseGLoLJsZXoyh/:+jGHyWMmCZyWMmC/xsozdosSaXLOT
TLSH T17203B73EBA14FEA0C35E32B0861F3B9503585D12EF760A28B5C6765D1E32640DB7B6D8
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter TheRadarGuy
Tags:msi vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
47
Origin country :
CA CA
Vendor Threat Intelligence
Gathering data
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51128/
Detection(s):
MiscreantPunch.EvilMacro.PowerShellEnc.1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697fb2e7848d0f834c8c849b
Tags:
trojan macro spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
CAB installer installer
Link:
https://www.filescan.io/uploads/697fb4d2930564ff3c822126/reports/b5212696-9d00-4f5f-8046-041bd65a443a/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Verdict:
Malicious
File Type:
msi
First seen:
2026-01-31T14:28:00Z UTC
Last seen:
2026-02-02T07:04:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.OLE2.Agent.gen Trojan.Win32.PowerShell.d BSS:Trojan.Win32.Generic Trojan.OLE2.Agent.sb
Link:
https://opentip.kaspersky.com/0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2/results?tab=lookup
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Office Document
Link:
https://app.malva.re/file/72a8f0efa1ecb4725a9b2f52eda87a07
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsbmq4vtuzwlnafserhmnkhy76of3rgutnt6ytudtff23hpkwxba._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:remcos family:vidar botnet:27 discovery execution loader persistence privilege_escalation ransomware rat stealer
Link:
https://tria.ge/reports/260201-y2vbjaez8g/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects HijackLoader (aka IDAT Loader)
Detects Vidar Stealer
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Remcos
Remcos family
Vidar
Vidar family
Malware Config
C2 Extraction:
81.17.24.58:3812
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c82c872b3a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Vidar

Microsoft Software Installer (MSI) msi 0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2

(this sample)

Vidar

Executable exe 9ee477d4bb72c410d83d7d8fa755c5eab5b0988736ba3bb68524c4dbb5427f6c

Vidar

zip ef3099ae05e0ebce1cdd735253e56791e55e69348dc90f980a7a926f2e9bcf26

Cape
Cape
https://www.capesandbox.com/analysis/51128/
  
Dropping
SHA256 ef3099ae05e0ebce1cdd735253e56791e55e69348dc90f980a7a926f2e9bcf26
  
Dropping
MD5 fac6fb0ffb098f0612c37f8cb5a6755d

Comments