MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25f790aff251cb2f90781001561abcff269aef9e0b866456924f94c5c4b88b88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25f790aff251cb2f90781001561abcff269aef9e0b866456924f94c5c4b88b88
SHA3-384 hash: c2914576a81287228614082087c3e588701ff61c9e286b9fa99bcd5e1a2166c835b776b26fdd7b6c4c88dae801c37543
SHA1 hash: 4f83b8c6374e7654e194eacf4cdddf3a647cd585
MD5 hash: 5763cfd4ae392e746c83b859a5b1cc28
humanhash: oxygen-winner-king-whiskey
File name:1.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:31'547'014 bytes
First seen:2025-05-20 20:16:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 786432:ckvJzrCJqYkXVZxNSkIDZsHSxunp7Z0hQdddIQSdBT:JvJzr0xKV/MkIDZsyxunNmabd0dN
TLSH T1A0673317F7CBD13DE0190B3B81B2925584FBAA665526BE1286FCB8ACCF710601D3E647
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter skocherhan
Tags:exe legend1234561111 vidar


Avatar
skocherhan
https://github.com/legend1234561111/Ksnsjdjdnd/releases/download/Isjsnsnsmsns/1.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
632
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.exe
Verdict:
No threats detected
Analysis date:
2025-05-20 20:24:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c7439f51-5481-4ebc-a5aa-f25dde41efc2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ce3982f280a98fb425cb6
Tags:
extens virus lien blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a process with a hidden window
Reading critical registry keys
Connection attempt to an infection source
Adding an access-denied ACE
Launching a process
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint installer overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/682ce372c609634bd7cc4288/reports/5fb30552-74a5-4a44-97d2-5c3462f44384/overview
Verdict:
Malicious
Labled as:
Generik.BMWLUQO trojan
Link:
https://www.hybrid-analysis.com/sample/25f790aff251cb2f90781001561abcff269aef9e0b866456924f94c5c4b88b88
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1695433
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695433 Sample: 1.exe Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 41 17.aa.4t.com 2->41 43 t.me 2->43 45 2 other IPs or domains 2->45 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 5 other signatures 2->61 9 1.exe 2 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\Temp\...\1.tmp, PE32 9->31 dropped 12 1.tmp 24 11 9->12         started        process6 file7 33 C:\Users\user\AppData\...\unins000.exe (copy), PE32 12->33 dropped 35 C:\Users\user\AppData\...\is-K1JQK.tmp, PE32+ 12->35 dropped 37 C:\Users\user\AppData\...\is-B7M0O.tmp, PE32+ 12->37 dropped 39 6 other files (3 malicious) 12->39 dropped 15 core.exe 12->15         started        18 info.exe 1 12->18         started        21 putty.exe 12->21         started        process8 dnsIp9 65 Maps a DLL or memory area into another process 15->65 67 Hides threads from debuggers 15->67 69 Found direct / indirect Syscall (likely to bypass EDR) 15->69 23 explorer.exe 15 15->23         started        27 WerFault.exe 2 15->27         started        47 stats-1.crabdance.com 82.115.223.212, 80 MIDNET-ASTK-TelecomRU Russian Federation 18->47 29 conhost.exe 18->29         started        signatures10 process11 dnsIp12 49 5.75.210.140, 443, 49699, 49700 HETZNER-ASDE Germany 23->49 51 17.aa.4t.com 78.46.233.21, 443, 49697 HETZNER-ASDE Germany 23->51 53 2 other IPs or domains 23->53 63 System process connects to network (likely due to code injection or exploit) 23->63 signatures13
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/25f790aff251cb2f90781001561abcff269aef9e0b866456924f94c5c4b88b88
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/25f790aff251cb2f90781001561abcff269aef9e0b866456924f94c5c4b88b88
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-06 19:06:07 UTC
File Type:
PE (Exe)
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ex3zbl7skhfs7edycaavmgv474tjv346bodgivusj6kmlrfyroea._file
Verdict:
malicious
Label(s):
admintool_putty
Create hunting rule
Similar samples:
error
Vidar
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access discovery pyinstaller spyware stealer
Link:
https://tria.ge/reports/250520-y2r66s1qs3/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Uses browser remote debugging
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25f790aff251/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 25f790aff251cb2f90781001561abcff269aef9e0b866456924f94c5c4b88b88

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3548741/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments