MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 142fdb8fd9050a03e994ef33697c847cb64c2e2a1c822b48a32c01e2ac744149. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 142fdb8fd9050a03e994ef33697c847cb64c2e2a1c822b48a32c01e2ac744149
SHA3-384 hash: 88e53e932d24130bde9cd5c3fb1a4f305476d477d14208384008d91a206e1357f4d12a88a70fabe55b90e3875462b69b
SHA1 hash: 396e9ebd9b42f5b7e8b0af38549b11d76c21529f
MD5 hash: 8c27301f9e6afb6097adb5fc88b2e5d2
humanhash: robert-four-alaska-romeo
File name:fixed_Loader.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:8'389'120 bytes
First seen:2026-04-08 15:06:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (99 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep 24576:QW7T+/CIoTMi8e+oxbvWQA8ZqPYynIr/RkrJpxpWKCFB38h3FFc3zP9CMkyWvf9K:PjIU00TATPtnIopyD8pF63b9Chh1pgj
Threatray 553 similar samples on MalwareBazaar
TLSH T142862306E2DD7376E8769B3084FEF1438332B8914B6A269F1295C4ABDF735C40A39716
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon d6de08c8e89a928a (1 x Vidar)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/fdf970d0-028c-4cbf-86d7-9eda91172387/
Malware family:
vidar
Create hunting rule
ID:
1
File name:
https://cutt.ly/AthF1WwA
Verdict:
Malicious activity
Analysis date:
2026-04-07 05:56:56 UTC
Tags:
autoit vidar stealer
Link:
https://app.any.run/tasks/35b55d2a-78c1-410a-a055-8e88106e18ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60832/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d3eefd6a61012f6acf7377
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
DNS request
Launching a process
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit CAB fingerprint installer installer installer-heuristic keylogger lolbin microsoft_visual_cc rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/69d66f315ea31bc68a189924/reports/eb50e6d0-5d26-4da0-83d8-03487e2d43ce/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/142fdb8fd9050a03e994ef33697c847cb64c2e2a1c822b48a32c01e2ac744149
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-04T15:15:00Z UTC
Last seen:
2026-04-10T10:59:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Agent.myxeyu Backdoor.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/142fdb8fd9050a03e994ef33697c847cb64c2e2a1c822b48a32c01e2ac744149/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/976fafc1-80ea-4b6f-b823-6a96e50a9e9f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1895374
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1895374 Sample: fixed_Loader.exe Startdate: 08/04/2026 Architecture: WINDOWS Score: 100 48 mdbXaZibanyFLKMbEEjMbC.mdbXaZibanyFLKMbEEjMbC 2->48 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 4 other signatures 2->80 10 fixed_Loader.exe 1 4 2->10         started        13 msedge.exe 19 537 2->13         started        16 rundll32.exe 2->16         started        signatures3 process4 dnsIp5 46 C:\Users\user\AppData\Local\...46ested.exe, PE32+ 10->46 dropped 18 Nested.exe 10->18         started        60 192.168.2.9, 138, 443, 49672 unknown unknown 13->60 62 239.255.255.250 unknown Reserved 13->62 21 msedge.exe 13->21         started        24 msedge.exe 13->24         started        26 msedge.exe 13->26         started        file6 process7 dnsIp8 66 Hijacks the control flow in another process 18->66 68 Writes to foreign memory regions 18->68 70 Modifies the context of a thread in another process (thread injection) 18->70 72 2 other signatures 18->72 28 attrib.exe 21 18->28         started        50 13.107.213.69, 443, 49776, 49777 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->50 52 part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49711, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->52 54 38 other IPs or domains 21->54 signatures9 process10 dnsIp11 58 135.181.233.232, 443, 49693, 49694 HETZNER-ASDE Germany 28->58 82 Tries to harvest and steal browser information (history, passwords, etc) 28->82 84 Tries to detect virtualization through RDTSC time measurements 28->84 86 Queues an APC in another process (thread injection) 28->86 88 3 other signatures 28->88 32 msedge.exe 2 11 28->32         started        35 chrome.exe 2 28->35         started        37 chrome.exe 2 28->37         started        signatures12 process13 signatures14 64 Monitors registry run keys for changes 32->64 39 msedge.exe 32->39         started        41 chrome.exe 35->41         started        44 WerFault.exe 16 37->44         started        process15 dnsIp16 56 www.google.com 41->56
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/142fdb8fd9050a03e994ef33697c847cb64c2e2a1c822b48a32c01e2ac744149
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/142fdb8fd9050a03e994ef33697c847cb64c2e2a1c822b48a32c01e2ac744149/
Verdict:
Malicious
Threat:
Family.VIDAR
Link:
https://tip.neiki.dev/file/142fdb8fd9050a03e994ef33697c847cb64c2e2a1c822b48a32c01e2ac744149
Threat name:
Win64.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2026-04-05 00:51:59 UTC
File Type:
PE+ (Exe)
Extracted files:
43
AV detection:
18 of 36 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqx5xd6zaufah2mu54zws7eeps3eylrkdsbcwsfdfqa6flduifeq._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
0f5e6d6347edaae85d0a523d7950ed4d669f1ba4394b68ddb205286ccfb7b08e
Vidar
1e5f4b3055968c4c7ca140c4ffa06c318472481a1717a9887a62dc2a509859f8
Vidar
2530e6273267a83c2e2d978aa4f915598d9ddf658aea2276d0df056d64c83f7e
Vidar
9597f336130e6e7856244212fdee4a3a1c61026ff2db481f6955b15ebcf395a4
Vidar
9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942
Vidar
error
Vidar
f07a03da99b4539d1f9f83b9a39d3e26474ad0137d0a9e35ad57106331cd0bc5
Vidar
+ 543 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:10526166a7861b9e7b4c557569e1e5f8 collection defense_evasion discovery persistence stealer
Link:
https://tria.ge/reports/260408-shjsssgs9y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Browser Information Discovery
System Time Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Detects Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://135.181.233.232
https://telegram.me/nwwfh8
https://steamcommunity.com/profiles/76561198719385745
Unpacked files
SH256 hash:
142fdb8fd9050a03e994ef33697c847cb64c2e2a1c822b48a32c01e2ac744149
MD5 hash:
8c27301f9e6afb6097adb5fc88b2e5d2
SHA1 hash:
396e9ebd9b42f5b7e8b0af38549b11d76c21529f
Link:
https://www.unpac.me/results/5817afc3-b2d5-4537-b525-23d9e7fa638f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/142fdb8fd9050a03e994ef33697c847cb64c2e2a1c822b48a32c01e2ac744149

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60832/

Comments