MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21bfbc7ad27302a1b12edc842d257ec522b48ccb7079925c76f686beb9772bd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21bfbc7ad27302a1b12edc842d257ec522b48ccb7079925c76f686beb9772bd1
SHA3-384 hash: 889500279c3de22507f31a92b292a550702f8118d9421f3b4494ce0a3a98b09cae21e6eafb8d8c4fb30eda5dba68f75e
SHA1 hash: 02df873f88cfd6b56908d780eeedabfd8d5eec8a
MD5 hash: 0a188fc5be425ef36ed6d9036b1c1c48
humanhash: harry-lactose-black-mirror
File name:0a188fc5be425ef36ed6d9036b1c1c48.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:758'272 bytes
First seen:2025-05-08 06:33:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e2a6ecfffc5d43a7565ef87874e92c4 (49 x LummaStealer, 13 x Vidar, 3 x Stealc)
ssdeep 12288:WzpkncANLF4f2651PBvcHxw7kt5IDecHxw7kt5ID:WzpkcOCViw7kPIDbw7kPID
Threatray 177 similar samples on MalwareBazaar
TLSH T19DF4AE585EA12097FA3B00B6C8A17644F869B936CBA08FF70250DF322456BD75EE53F4
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
498
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.19123.1644.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681c32a191991ead82b60dfd
Tags:
kryptik virus krypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/681c505fb880b22541aa34f0/reports/085b4aec-cc74-47ef-bdd1-5abd3744ac96/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/21bfbc7ad27302a1b12edc842d257ec522b48ccb7079925c76f686beb9772bd1
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/928eb8e5-3f24-4a89-b3fe-ef3fd798d5bd
Result
Threat name:
LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1684196
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates multiple autostart registry keys
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1684196 Sample: yUllVSifEj.exe Startdate: 08/05/2025 Architecture: WINDOWS Score: 100 110 72.aa.4t.com 2->110 112 xandr-ms-geo.trafficmanager.net 2->112 114 50 other IPs or domains 2->114 146 Suricata IDS alerts for network traffic 2->146 148 Found malware configuration 2->148 150 Malicious sample detected (through community Yara rule) 2->150 152 11 other signatures 2->152 14 yUllVSifEj.exe 2->14         started        17 EXWDUG.exe 2->17         started        20 EXWDUG.exe 2->20         started        22 2 other processes 2->22 signatures3 process4 dnsIp5 198 Writes to foreign memory regions 14->198 200 Allocates memory in foreign processes 14->200 202 Injects a PE file into a foreign processes 14->202 25 MSBuild.exe 33 14->25         started        86 C:\Users\user\AppData\Local\...\VHWKMQ.exe, PE32 17->86 dropped 30 VHWKMQ.exe 17->30         started        88 C:\Users\user\AppData\Local\...behaviorgraphQRGWL.exe, PE32 20->88 dropped 32 GQRGWL.exe 20->32         started        122 239.255.255.250 unknown Reserved 22->122 90 C:\Users\user\AppData\Local\...90OEFXO.exe, PE32 22->90 dropped 34 msedge.exe 22->34         started        36 msedge.exe 22->36         started        38 msedge.exe 22->38         started        file6 signatures7 process8 dnsIp9 134 72.aa.4t.com 78.46.233.21, 443, 49684, 49685 HETZNER-ASDE Germany 25->134 136 94.26.90.80, 49809, 49813, 80 ASDETUKhttpwwwheficedcomGB Bulgaria 25->136 142 2 other IPs or domains 25->142 100 C:\Users\user\AppData\...\ShtrayEasy[1].exe, PE32 25->100 dropped 102 C:\Users\user\AppData\...\LasioSia[1].exe, PE32+ 25->102 dropped 104 C:\ProgramData\aaie3ozmgv.exe, PE32+ 25->104 dropped 106 C:\ProgramData\4wtjm7g47y.exe, PE32 25->106 dropped 178 Attempt to bypass Chrome Application-Bound Encryption 25->178 180 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->180 182 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->182 188 6 other signatures 25->188 40 4wtjm7g47y.exe 25->40         started        44 aaie3ozmgv.exe 25->44         started        46 msedge.exe 2 9 25->46         started        48 2 other processes 25->48 184 Multi AV Scanner detection for dropped file 30->184 186 Creates multiple autostart registry keys 30->186 138 13.107.246.51, 443, 49776, 49777 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->138 140 s-part-0043.t-0009.t-msedge.net 13.107.246.71, 443, 49691, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->140 144 36 other IPs or domains 34->144 file10 signatures11 process12 dnsIp13 98 C:\Users\user\AppData\Local\...\RLDLLV.exe, PE32 40->98 dropped 162 Antivirus detection for dropped file 40->162 164 Multi AV Scanner detection for dropped file 40->164 166 Contains functionality to detect hardware virtualization (CPUID execution measurement) 40->166 176 2 other signatures 40->176 51 RLDLLV.exe 40->51         started        168 Writes to foreign memory regions 44->168 170 Allocates memory in foreign processes 44->170 172 Injects a PE file into a foreign processes 44->172 55 MSBuild.exe 44->55         started        58 MSBuild.exe 44->58         started        60 MSBuild.exe 44->60         started        174 Monitors registry run keys for changes 46->174 62 msedge.exe 46->62         started        108 192.168.2.9, 138, 443, 49156 unknown unknown 48->108 64 chrome.exe 48->64         started        66 conhost.exe 48->66         started        68 timeout.exe 48->68         started        file14 signatures15 process16 dnsIp17 92 C:\Users\user\AppData\Local\...XWDUG.exe, PE32 51->92 dropped 154 Multi AV Scanner detection for dropped file 51->154 70 EXWDUG.exe 51->70         started        126 homewappzb.top 104.21.16.1, 443, 49814, 49816 CLOUDFLARENETUS United States 55->126 156 Query firmware table information (likely to detect VMs) 55->156 128 www.google.com 142.250.68.228, 443, 49704, 49709 GOOGLEUS United States 64->128 130 play.google.com 192.178.49.174, 443, 49722 GOOGLEUS United States 64->130 132 3 other IPs or domains 64->132 file18 signatures19 process20 dnsIp21 124 94.26.90.81, 49812, 49822, 49826 ASDETUKhttpwwwheficedcomGB Bulgaria 70->124 94 C:\Users\user\AppData\Local\...\OVQPWR.exe, PE32+ 70->94 dropped 96 C:\Users\user\AppData\...\VavineSound[1].exe, PE32+ 70->96 dropped 158 Multi AV Scanner detection for dropped file 70->158 160 Creates multiple autostart registry keys 70->160 75 OVQPWR.exe 70->75         started        file22 signatures23 process24 signatures25 190 Multi AV Scanner detection for dropped file 75->190 192 Writes to foreign memory regions 75->192 194 Allocates memory in foreign processes 75->194 196 Injects a PE file into a foreign processes 75->196 78 MSBuild.exe 75->78         started        process26 signatures27 204 Tries to harvest and steal browser information (history, passwords, etc) 78->204 81 chrome.exe 78->81         started        process28 process29 83 chrome.exe 81->83         started        dnsIp30 116 142.250.72.164, 443, 49842, 49845 GOOGLEUS United States 83->116 118 www.google.com 83->118 120 2 other IPs or domains 83->120
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/21bfbc7ad27302a1b12edc842d257ec522b48ccb7079925c76f686beb9772bd1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21bfbc7ad27302a1b12edc842d257ec522b48ccb7079925c76f686beb9772bd1/
Threat name:
Win64.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 23:41:03 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eg73y6wsombkdmjo3scc2jl6yurljdglob4zexdw62dl5olxfpiq._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
21bfbc7ad27302a1b12edc842d257ec522b48ccb7079925c76f686beb9772bd1
Vidar
28d8ba77930a7fdb5d6f7fd77b7f3d9be8a638976f563598e247fbec54574809
Vidar
2af28b041206d27d3aa9d3f20678357ed6cd545449911905bf4ffe40555a33cb
Vidar
2c3066d84a1942c8a7d0873d6863e47b73dca05a07283e52e567533447a7afc9
Vidar
40334d4cfea8a4d214ead0aad8045eba33ae7a79f6c72a68041bbfde1f93cf8e
Vidar
8d30a02b63faa25db2310612bebdd8db66dcda85f676ca016e1c21fc4167af61
Vidar
error
Vidar
+ 167 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:vidar botnet:bae6b16ce602da6d377e5d6e504feee4 credential_access discovery persistence spyware stealer
Link:
https://tria.ge/reports/250508-hbv75sbn6t/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/m00f3r
https://steamcommunity.com/profiles/76561199851454339
https://stuffgull.top/qwio
https://mariosefqcu.shop/wrqo
https://homewappzb.top/tqba
https://tortoisgfe.top/paxk
https://descenrugb.bet/woap
https://onemiltxny.shop/tqiw
https://octalfbsh.bet/mben
https://snakejh.top/adsk
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/df738da2-75b3-4cfe-b34c-d86beacd30d7
Unpacked files
SH256 hash:
21bfbc7ad27302a1b12edc842d257ec522b48ccb7079925c76f686beb9772bd1
MD5 hash:
0a188fc5be425ef36ed6d9036b1c1c48
SHA1 hash:
02df873f88cfd6b56908d780eeedabfd8d5eec8a
Link:
https://www.unpac.me/results/97b1763f-5c8a-464d-8b15-6ac1e185ed81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21bfbc7ad27302a1b12edc842d257ec522b48ccb7079925c76f686beb9772bd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments