MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash:	178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3
SHA3-384 hash:	3419613c8072058024eff6a115cfbc0f092fe6cd0b465554a707db4bb4a9414aa61eb0f999a2ec4b4c9cb25285515440
SHA1 hash:	2f8c0da771403a8b29e95df2bca0ffd3a13df7d6
MD5 hash:	cfe8d6c0a4b9cd64f141dd5af8ff1584
humanhash:	october-speaker-hydrogen-april
File name:	file
Download:	download sample
File size:	615'424 bytes
First seen:	2026-02-23 21:25:14 UTC
Last seen:	2026-02-23 22:22:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	98c5d67ac4c90a190f6080082db855fb
ssdeep	12288:vvZ9H0I0Lqf0h0ewjUKlg8SIt14y0qSXWdH3ROr:vvbH0IlJXgBIt14y0qNdH34r
TLSH	T1CED42BBD9C60E362F60DD0BAE286E7535F6178010236AA9309BED72412058739F577FE
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543

Bitsight

url: http://130.12.180.43/files/7290860719/f1FlzK6.exe

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Stellar Vidar

Details

Vidar

c2 urls, useragents, c2 handshake magic parameters, a version, and a missionid

Link:

https://research.acce.ciphertechsolutions.com/results/234e6438-bbd8-41b6-a64c-4c94585a2287/

Malware family:

vidar

ID:

File name:

_178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3.exe

Verdict:

Malicious activity

Analysis date:

2026-02-23 21:27:00 UTC

Tags:

stealer stealc vidar xor-url generic

Link:

https://app.any.run/tasks/578f0b4a-b9dc-4eb4-ab27-966e7d6aa412

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/54342/

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699cc5cb8fffa866e3b148b4

Tags:

ransomware obfuscated dropper

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug base64 fingerprint obfuscated

Link:

https://www.filescan.io/uploads/699cc5c597feb4afd654e872/reports/e159d6d4-f553-4730-bb20-712862526e9d/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan-PSW.Win64.Vidar.co

Link:

https://opentip.kaspersky.com/178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/efd2f04f-313b-407a-ad6d-feb277a8a25b

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3

Threat name:

Win64.Infostealer.Tinba

Status:

Malicious

First seen:

2026-02-23 21:25:46 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 36 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c6hr76glgqwa2zdcxjxx6ypk6zky7fvlljfabf4aze67osbcfxbq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

collection discovery spyware stealer

Link:

https://tria.ge/reports/260223-z9s9wab16f/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Time Discovery

Accesses Microsoft Outlook profiles

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3

MD5 hash:

cfe8d6c0a4b9cd64f141dd5af8ff1584

SHA1 hash:

2f8c0da771403a8b29e95df2bca0ffd3a13df7d6

Link:

https://www.unpac.me/results/c70d840f-1e1a-4807-b81f-96c5d6376db5/

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/178f1ff8cb34/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 178f1ff8cb342c0d6462ba6f7f61eaf6558f96ab5a4a009780c93df748222dc3

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/54342/

URLhaus

https://urlhaus.abuse.ch/url/3784527/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample