MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dcc974c30e93b78cd6540075b70a0b8f78d7fa6fd61e99315a47dad0ab73614. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1dcc974c30e93b78cd6540075b70a0b8f78d7fa6fd61e99315a47dad0ab73614
SHA3-384 hash: 5807b0943fa96e2a731508a23e3ecc8a16530d3e7d225b75a9067fa377746eddbf15bfe0396844858b8293feb33986a4
SHA1 hash: 807f54031fa67cfc9f40cebf9988585b5dcc7ddb
MD5 hash: 611fd80c1c2fcb135f35c201b21a3bf8
humanhash: mockingbird-tennis-finch-zebra
File name:CheatsKingdom.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:13'345'016 bytes
First seen:2025-05-21 13:41:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 196608:LfvdBWURGEL2GbFYnIT5/pBF/97ns69kkgjg4kdqfGCUeZgQn2Q:ZR7L22qnI1hb/GhkdqfOeZgQ2Q
Threatray 3'420 similar samples on MalwareBazaar
TLSH T1F7D6335096CC9592D6AC48BFC4E16BC6472DFF162D4BC21F3088B3DA1D36F968642E4B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e4aa4d8c8cccb0e0 (1 x Vidar)
Reporter burger
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
618
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
CheatsKingdom.exe
Verdict:
Malicious activity
Analysis date:
2025-05-21 13:40:41 UTC
Tags:
telegram stealer vidar
Link:
https://app.any.run/tasks/e52da6d1-4385-4890-ac29-6f740ef48b54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682dd849c28c67d666438c65
Tags:
packed spawn virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated obfuscated overlay overlay packed packed packer_detected smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/682dd84bbff72ff46b677fd8/reports/3aef4480-76cf-4772-9dc3-0e14ec292fda/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1dcc974c30e93b78cd6540075b70a0b8f78d7fa6fd61e99315a47dad0ab73614
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/36c75d16-f3d7-4e41-b759-651876ea3166
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1695962
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Powershell decode and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695962 Sample: CheatsKingdom.exe Startdate: 21/05/2025 Architecture: WINDOWS Score: 100 84 16.16.4t.com 2->84 86 t.me 2->86 100 Suricata IDS alerts for network traffic 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 8 other signatures 2->106 10 CheatsKingdom.exe 2 2->10         started        signatures3 process4 signatures5 108 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->108 110 Writes to foreign memory regions 10->110 112 Injects a PE file into a foreign processes 10->112 13 InstallUtil.exe 33 10->13         started        process6 dnsIp7 90 16.16.4t.com 78.47.78.115, 443, 49695, 49696 HETZNER-ASDE Germany 13->90 92 t.me 149.154.167.99, 443, 49693 TELEGRAMRU United Kingdom 13->92 114 Encrypted powershell cmdline option found 13->114 116 Tries to harvest and steal browser information (history, passwords, etc) 13->116 17 powershell.exe 22 13->17         started        21 chrome.exe 13->21         started        24 powershell.exe 13->24         started        26 27 other processes 13->26 signatures8 process9 dnsIp10 62 C:\Users\user\AppData\...\rtwz1c21.cmdline, Unicode 17->62 dropped 94 Writes to foreign memory regions 17->94 96 Compiles code for process injection (via .Net compiler) 17->96 98 Creates a thread in another existing process (thread injection) 17->98 28 csc.exe 3 17->28         started        31 conhost.exe 17->31         started        88 192.168.2.6, 138, 443, 49681 unknown unknown 21->88 33 chrome.exe 21->33         started        64 C:\Users\user\AppData\Local\...\zapaul03.0.cs, Unicode 24->64 dropped 36 conhost.exe 24->36         started        38 csc.exe 26->38         started        40 csc.exe 26->40         started        42 csc.exe 26->42         started        44 23 other processes 26->44 file11 signatures12 process13 dnsIp14 66 C:\Users\user\AppData\Local\...\rtwz1c21.dll, PE32 28->66 dropped 46 cvtres.exe 1 28->46         started        82 www.google.com 142.250.101.105, 443, 49708, 49712 GOOGLEUS United States 33->82 68 C:\Users\user\AppData\Local\...\obbebmqt.dll, PE32 38->68 dropped 48 cvtres.exe 38->48         started        70 C:\Users\user\AppData\Local\...\oxdgrpnl.dll, PE32 40->70 dropped 50 cvtres.exe 40->50         started        72 C:\Users\user\AppData\Local\...\0gqldlbe.dll, PE32 42->72 dropped 52 cvtres.exe 42->52         started        74 C:\Users\user\AppData\Local\...\yskqs0dx.dll, PE32 44->74 dropped 76 C:\Users\user\AppData\Local\...\vbsqzyiy.dll, PE32 44->76 dropped 78 C:\Users\user\AppData\Local\...\uvenaoj0.dll, PE32 44->78 dropped 80 7 other files (none is malicious) 44->80 dropped 54 cvtres.exe 44->54         started        56 cvtres.exe 44->56         started        58 cvtres.exe 44->58         started        60 6 other processes 44->60 file15 process16
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1dcc974c30e93b78cd6540075b70a0b8f78d7fa6fd61e99315a47dad0ab73614
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1dcc974c30e93b78cd6540075b70a0b8f78d7fa6fd61e99315a47dad0ab73614/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-21 13:40:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxgjotbq5e5xrtlfiadvw4faxd3y275g7vq6teyvur622cvxgyka._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
60c15ec77f1359139198ee48aed560c32a477e6b4977f741aac8df5190eef286
Vidar
a3a6e6782391ceca1b29065e7755ae159d588a6ecae1c1e189f8781476bbb2a9
Vidar
d5355c5bddacdf20377d6cc75766ccb25199724c382be1b9b29d4adb0ee97972
Vidar
e607d8b4051f1d17c28d2bfdb9254e960ae08a8972b0ff445b46564ea9e59c33
Vidar
fb6b68664c0a30e8401b13e0f6bc3af9d4b2ef4efdbc42c58cbb6ecbee579842
Vidar
+ 3'410 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:b053aeb76305ae9b88c0a2ced734db8e credential_access defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250521-qzv62sxls4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Obfuscated Files or Information: Command Obfuscation
Unsecured Credentials: Credentials In Files
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/eom25h
https://steamcommunity.com/profiles/76561199855598339
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5be86a27-6eb5-4dbc-907f-db49dbfbc78b
Unpacked files
SH256 hash:
1dcc974c30e93b78cd6540075b70a0b8f78d7fa6fd61e99315a47dad0ab73614
MD5 hash:
611fd80c1c2fcb135f35c201b21a3bf8
SHA1 hash:
807f54031fa67cfc9f40cebf9988585b5dcc7ddb
Link:
https://www.unpac.me/results/f3d7ae57-8ac7-4f64-9982-17a12345a148/
SH256 hash:
c34c74bfb7a96370bb21b082ac4696089262b3552a9c0f5d82c0779919294aa1
MD5 hash:
14c0b326b02a38e85d18e8468f9920f1
SHA1 hash:
742aebaf4b80495ccc5eeb41534f9fd5584571f0
Link:
https://www.unpac.me/results/f3d7ae57-8ac7-4f64-9982-17a12345a148/
SH256 hash:
1cac06506b0235e569d2efb3012cd1c9353a03dfcb365489bc7038e8961cd4e0
MD5 hash:
3f8f0290ac6625fabf932ed177f9ed98
SHA1 hash:
9fdd47f9dbff681f1d74c10e0e99a8d1229d3d3b
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f3d7ae57-8ac7-4f64-9982-17a12345a148/
SH256 hash:
5a3df52ab531cab83782b0ddc3668e95cf78c6fcfaa8733180f74cdf9521754b
MD5 hash:
49e646bbd4a0e594afba9b1c2df228ba
SHA1 hash:
c1d0271a35d38d572be23582e5869b9cfd4069a8
Link:
https://www.unpac.me/results/f3d7ae57-8ac7-4f64-9982-17a12345a148/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1dcc974c30e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1dcc974c30e93b78cd6540075b70a0b8f78d7fa6fd61e99315a47dad0ab73614

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Vidar_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments