MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2
SHA3-384 hash: bac1f0bfbb149d2c7c1feb4a76047b0545b453821c4a8d787999050486ad9392881b3f903d4499f58a8d7912814ac0c5
SHA1 hash: a7536c541bbcf03b3327abf447052bf7e2c6e9fd
MD5 hash: f9131edf95a0ec263a8a4d7e6214240d
humanhash: oven-beryllium-minnesota-california
File name:random.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:219'648 bytes
First seen:2026-02-28 10:10:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ee53c10aff1d01eafea53328179e33a2 (32 x Vidar, 1 x XenoRAT, 1 x Smoke Loader)
ssdeep 6144:8QQYr9WkZ5Amo15L2mY4Y4Xd6gK+Zf2WIo:8QQPkZ5Ami5L2l4Y48L+Nc
TLSH T1462412B3F46412BBC249853298B6DF49BEB0042EBCD55C096FF7907A526B1B2C65123F
TrID 60.0% (.EXE) UPX compressed Win64 Executable (70117/5/12)
23.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
5.5% (.EXE) Win64 Executable (generic) (6522/11/2)
4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe UPX vidar
File size (compressed) :219'648 bytes
File size (de-compressed) :629'760 bytes
Format:win64/pe
Unpacked file: 540019cc2f6a7f48d484f14cc37cee2e24a5abe59af0d41b522b1455f529fea9

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PEPacker Vidar
Details
PEPacker
a UPX version number and an unpacked binary
Vidar
c2 urls, useragents, c2 handshake magic parameters, a version, and a missionid
Link:
https://research.acce.ciphertechsolutions.com/results/b9723273-e32b-4f3a-8048-174000bc1989/
Malware family:
n/a
ID:
1
File name:
random.exe
Verdict:
No threats detected
Analysis date:
2026-02-28 10:12:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/946d3a57-eede-48dd-b3c2-dd38e3194a93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54985/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a2bf088fffa866e3b338cd
Tags:
ransomware obfuscated emotet small
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug fingerprint obfuscated packed packed packed stealer unsafe upx vidar zusy
Link:
https://www.filescan.io/uploads/69a2bf0897feb4afd6613fac/reports/152107d4-6fb0-4866-a004-5526af834578/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Link:
https://opentip.kaspersky.com/209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2eb61c4d-1f6b-41a9-832a-27434f975b8f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876316
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876316 Sample: random.exe Startdate: 28/02/2026 Architecture: WINDOWS Score: 100 45 ctl.cricket-matters.com 2->45 47 www.google.com 2->47 49 2 other IPs or domains 2->49 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 4 other signatures 2->77 9 random.exe 16 2->9         started        signatures3 process4 dnsIp5 65 ctl.cricket-matters.com 172.67.157.41, 443, 49695, 49696 CLOUDFLARENETUS United States 9->65 67 telegram.me 149.154.167.99, 443, 49694 TELEGRAMRU United Kingdom 9->67 79 Tries to harvest and steal browser information (history, passwords, etc) 9->79 81 Sets debug register (to hijack the execution of another thread) 9->81 83 Writes to foreign memory regions 9->83 85 7 other signatures 9->85 13 chrome.exe 1 9->13         started        16 chrome.exe 9->16         started        18 chrome.exe 9->18         started        20 6 other processes 9->20 signatures6 process7 dnsIp8 69 192.168.2.9, 138, 443, 49324 unknown unknown 13->69 22 chrome.exe 13->22         started        25 chrome.exe 16->25         started        27 chrome.exe 16->27         started        29 chrome.exe 18->29         started        31 chrome.exe 18->31         started        33 chrome.exe 20->33         started        35 chrome.exe 20->35         started        37 chrome.exe 20->37         started        39 3 other processes 20->39 process9 dnsIp10 51 142.251.45.4, 443, 49731, 49732 GOOGLEUS United States 22->51 61 2 other IPs or domains 25->61 41 WerFault.exe 25->41         started        53 172.217.14.100, 443, 49847 GOOGLEUS United States 27->53 43 WerFault.exe 16 29->43         started        55 www.google.com 142.251.210.132, 443, 49713, 49714 GOOGLEUS United States 33->55 57 142.250.68.68, 443, 49791, 49792 GOOGLEUS United States 35->57 63 4 other IPs or domains 35->63 59 142.250.68.74, 443, 49826, 49827 GOOGLEUS United States 37->59 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2
Threat name:
Win64.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 23:22:25 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecnzpafd5y3x6tb3sf2fekuqn4xeq7khsba53w7ml2xnmj6c4pja._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar stealer upx
Link:
https://tria.ge/reports/260228-l7gleaas8c/
Behaviour
UPX packed file
Detects Vidar Stealer
Vidar
Vidar family
Unpacked files
SH256 hash:
209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2
MD5 hash:
f9131edf95a0ec263a8a4d7e6214240d
SHA1 hash:
a7536c541bbcf03b3327abf447052bf7e2c6e9fd
Link:
https://www.unpac.me/results/f37538d8-1ee1-4dc1-bec0-cb1096b65b2e/
SH256 hash:
540019cc2f6a7f48d484f14cc37cee2e24a5abe59af0d41b522b1455f529fea9
MD5 hash:
af53dc21b28997e6e381c7370bb00a73
SHA1 hash:
f3adb7208e00ade222fa52e8b3316dfc0e058997
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
SUSP_XORed_Mozilla
Create hunting rule
Link:
https://www.unpac.me/results/f37538d8-1ee1-4dc1-bec0-cb1096b65b2e/
Parent samples :
209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2
540019cc2f6a7f48d484f14cc37cee2e24a5abe59af0d41b522b1455f529fea9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 209b9780a3ee377f4c3b9174522a906f2e487d479041dddbec5eaed627c2e3d2

(this sample)

Vidar

Executable exe 540019cc2f6a7f48d484f14cc37cee2e24a5abe59af0d41b522b1455f529fea9

Cape
Cape
https://www.capesandbox.com/analysis/54985/
  
URLhaus
https://urlhaus.abuse.ch/url/3782523/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 540019cc2f6a7f48d484f14cc37cee2e24a5abe59af0d41b522b1455f529fea9
  
Dropping
MD5 af53dc21b28997e6e381c7370bb00a73

Comments