MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bb2771002bf8240e34e8284048bfc1db8dd7cdade7a7afb4a2cfbe02b1a9749. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash: 1bb2771002bf8240e34e8284048bfc1db8dd7cdade7a7afb4a2cfbe02b1a9749
SHA3-384 hash: 8dd2ae69412d35c1b21f1889440146ae1c3e344fef3a00cc0e798078c7850273b52189ae9f0ebbdf1b6986062f2f4b96
SHA1 hash: c7e17ee452cecac79abb401aa268f37587656a75
MD5 hash: 5caf0a23757aa65e8e491c3ca8dc5084
humanhash: pluto-sierra-undress-montana
File name:1bb2771002bf8240e34e8284048bfc1db8dd7cdade7a7afb4a2cfbe02b1a9749
Download: download sample
Signature Vidar
File size:14'274'083 bytes
First seen:2026-07-07 14:38:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (24 x HijackLoader, 23 x GhostPulse, 14 x ValleyRAT)
ssdeep 196608:+puvVHiHCkPW31+ehVAHCdKJJanu1ccmXjj51mFaEXz5dMQdXVFh6s7LV2TGu:+pAHuJvCsJMwccmzHmlFSAFFh6s7LW
Threatray 75 similar samples on MalwareBazaar
TLSH T14FE63392B3C8E4B9D675CD788F01EF8561F3E3990BC26E9286EA0D0C8D791F516074DA
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.8% (.EXE) Win64 Executable (generic) (6522/11/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (23 x GhostPulse, 23 x HijackLoader, 11 x LummaStealer)
Reporter adrian__luca
Tags:exe vidar

Intelligence


File Origin
# of uploads :
1
# of downloads :
31
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
phorpiex
ID:
1
File name:
virusvippro.exe
Verdict:
Malicious activity
Analysis date:
2026-06-14 19:09:07 UTC
Tags:
auto metasploit framework github stealer stealc phorpiex botnet python ipfs phishing massbass purehvnc rat loader generic possible-phishing valley rustystealer tinynuke payload quasar vidar amadey action1rmm purelogs telegram smoke nuitka pastebin havoc tool valleyrat silverfox winos clickfix autoit evasion santastealer guloader datto rmm-tool pythonstealer remus pyinstaller cobaltstrike ransomware action1 njrat screenconnect dattormm remote xworm koiloader wannacry remcos coinminer miner ip-check bruteratel chromelevator donutloader meterpreter cryptowall deerstealer smb whitesnakestealer putty qrcode asyncrat destinystealer stealerium cryptolocker websocket networm amus scan smbscan salatstealer redline ghostsocks proxyware lumma bladabindi banker grandoreiro emotet formbook arch-scr neshta discord dcrat exfiltration openssl teamviewer eicar-test susp-powershell noescape wiper dharma troldesh shade azorult hijackloader stealeriumstealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Replacing files
Сreating synchronization primitives
Connection attempt
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer installer installer-heuristic microsoft_visual_cc overlay packed reconnaissance rugmi
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-14T07:14:00Z UTC
Last seen:
2026-07-09T03:14:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Strab.sb Trojan-PSW.Stealerc.TCP.C&C Trojan.Win32.Penguish.hpm HEUR:Trojan.Win64.DLLhijack.gen Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb Trojan-PSW.Stealerc.HTTP.C&C Trojan.Win32.Zenpak.sb
Gathering data
Threat name:
Win32.Trojan.DllHijack
Status:
Suspicious
First seen:
2026-06-14 12:45:49 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:hijackloader family:vidar botnet:b5bdf9644488e9d02429ab5406c6d433 credential_access discovery loader spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detects HijackLoader (aka IDAT Loader)
Family: HijackLoader, IDAT loader, Ghostulse,
Family: Vidar
Malware Config
C2 Extraction:
https://95.217.245.14
https://telegram.me/turb00m
https://steamcommunity.com/profiles/76561198689449626
Unpacked files
SH256 hash:
1bb2771002bf8240e34e8284048bfc1db8dd7cdade7a7afb4a2cfbe02b1a9749
MD5 hash:
5caf0a23757aa65e8e491c3ca8dc5084
SHA1 hash:
c7e17ee452cecac79abb401aa268f37587656a75
SH256 hash:
0f4ec73cf4f64d4b89f3c87a127bc7c46c052a4226f9876a3a75015b716d9228
MD5 hash:
c4a25dce665733663284750666684703
SHA1 hash:
368f3c3497c1b0121409216282803bcf1b64f35f
SH256 hash:
2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
MD5 hash:
1fb93933fd087215a3c7b0800e6bb703
SHA1 hash:
a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SH256 hash:
3245b97f939bbfb0d6ad0732c48097a45b3b7a7f1081eba41562c08ff33130cd
MD5 hash:
a3bd87494bc7174bff35998c4f418afe
SHA1 hash:
0ed2b03bc45135af2367be0dc2d95073752c0da5
SH256 hash:
508f772bde00e8cee5e5d185b3e44003982843d283e8448e3a4b6b29b4ff28a8
MD5 hash:
f7a79aaa6a0075311756a488e49d12e0
SHA1 hash:
7608655af255b78f05b012497297e974044736f6
SH256 hash:
5ffbf8fd312922fc7aab26654f0da5d41cde2734c5321f8f4bcfd596c2660825
MD5 hash:
d52831bba5f65db7a1dd310c65c63ca1
SHA1 hash:
32ea3c1ec75c919ea587ae69d172345bb78b3aa0
SH256 hash:
63c05cfdd2ee44057e619d1a9acead538e867cbee55873529d01686d1ec678a6
MD5 hash:
b2d36d9e7aeb6fe317deaaf7cc4a34ed
SHA1 hash:
7eb1cdcf9a59a348064c2f41eedfd73bc00e7724
SH256 hash:
674e9e8f298c568798e965a9078f79578b07ef71d02a733231257a435f73b36d
MD5 hash:
cec0a6577e3f784bf44a7a13f88bbbe5
SHA1 hash:
138974a9f5e4b2d5dd18c7d135dbd884d99341d6
SH256 hash:
716a11cdc1b12827ee18027caa947f813cb3550412b5dcaae427be3bbcc0221f
MD5 hash:
8dfb8feccc75f737363de85f66e753a6
SHA1 hash:
7265f3dc35904256e1f33f8cc3bab085e7bb4eb2
SH256 hash:
9276e394bc5fa9a08b5fc84305d32544ff9f0421d0870c6d76c63a82f1955559
MD5 hash:
7762c51ea02eb943183d597ea0ee5530
SHA1 hash:
0b8c307eba01d0679a2669210862d0afa888c40f
SH256 hash:
9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c
MD5 hash:
1b171f9a428c44acf85f89989007c328
SHA1 hash:
6f25a874d6cbf8158cb7c491dcedaa81ceaebbae
SH256 hash:
c73b6080ff81a42336be2baa3a159f746a054032615f53d0e1ff56d57c357b14
MD5 hash:
b722737394c97244372da91139e35e9e
SHA1 hash:
6700459d4a22469c72e22a302fad21549050f859
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 1bb2771002bf8240e34e8284048bfc1db8dd7cdade7a7afb4a2cfbe02b1a9749

(this sample)

  
Delivery method
Distributed via web download

Comments