MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27f2027604353b1507e63502de699e1b14a9a29cb26678d84071fab4d9077803. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27f2027604353b1507e63502de699e1b14a9a29cb26678d84071fab4d9077803
SHA3-384 hash: efa7772b0c1497e7221369b8940e143ca08cd0c08185cf0fe54b981d9111f5997d51bd5225165729d5bb492c943acd12
SHA1 hash: 21dad3d4ff5af4921384b1c203538e93372550d3
MD5 hash: 53027822476420b0d4e1b0cd560797f3
humanhash: sad-two-winter-ten
File name:53027822476420b0d4e1b0cd560797f3.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:4'924'459 bytes
First seen:2025-06-13 10:40:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 98304:F0yF43T3Rqv0YxabR7RCS7Ko+z6kX1O8iOzdM/pI6NxEHNjGD3YjyNj:ayqDE0xmKl01aOhOyoqrj6
Threatray 124 similar samples on MalwareBazaar
TLSH T1863633423AD14173C0931971CE993A118ABEA8616F658EEB97E01E5EEB710D0D730FB7
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
441
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
53027822476420b0d4e1b0cd560797f3.exe
Verdict:
Malicious activity
Analysis date:
2025-06-13 10:41:01 UTC
Tags:
amadey botnet stealer loader unlocker-eject tool rdp themida arch-exec lumma evasion payload auto generic telegram phishing uac xor-url deerstealer
Link:
https://app.any.run/tasks/a6880819-e294-4ae7-bcbd-4db77c64c96a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9312/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684c00358bd5d68a12e86de5
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Searching for analyzing tools
Launching a process
Creating a file in the %temp% directory
Launching a service
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/27f2027604353b1507e63502de699e1b14a9a29cb26678d84071fab4d9077803
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4822333-04fd-47f7-883b-e8a4fab87181
Result
Threat name:
Amadey, Deer Stealer, LummaC Stealer, Vi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1713995
Signature
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Deer Stealer
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1713995 Sample: 3oJXvC5Na2.exe Startdate: 13/06/2025 Architecture: WINDOWS Score: 100 107 185.156.72.96 ITDELUXE-ASRU Russian Federation 2->107 109 edgemaple.pro 2->109 111 12 other IPs or domains 2->111 123 Suricata IDS alerts for network traffic 2->123 125 Found malware configuration 2->125 127 Multi AV Scanner detection for submitted file 2->127 129 14 other signatures 2->129 11 3oJXvC5Na2.exe 6 2->11         started        14 IAVddjAW.exe 2->14         started        17 ramez.exe 2->17         started        signatures3 process4 file5 93 C:\Temper\IAVddjAW.exe, PE32 11->93 dropped 95 C:\Temper\4nIbLQJM.exe, PE32 11->95 dropped 19 IAVddjAW.exe 11->19         started        147 Binary is likely a compiled AutoIt script file 14->147 22 7VgZHt5Q.exe 14->22         started        24 WARUQdBr.exe 14->24         started        26 cmd.exe 1 14->26         started        28 cmd.exe 14->28         started        149 Contains functionality to start a terminal service 17->149 151 Hides threads from debuggers 17->151 153 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->153 155 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->155 signatures6 process7 signatures8 131 Multi AV Scanner detection for dropped file 19->131 133 Binary is likely a compiled AutoIt script file 19->133 135 Found API chain indicative of sandbox detection 19->135 30 7VgZHt5Q.exe 4 19->30         started        34 WARUQdBr.exe 15 19->34         started        36 cmd.exe 1 19->36         started        38 cmd.exe 1 19->38         started        137 Contains functionality to start a terminal service 22->137 139 Hides threads from debuggers 22->139 141 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->141 143 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 22->143 40 cmd.exe 24->40         started        42 conhost.exe 26->42         started        44 4nIbLQJM.exe 26->44         started        46 conhost.exe 28->46         started        48 schtasks.exe 28->48         started        process9 file10 97 C:\Users\user\AppData\Local\...\ramez.exe, PE32 30->97 dropped 157 Antivirus detection for dropped file 30->157 159 Detected unpacking (changes PE section rights) 30->159 161 Contains functionality to start a terminal service 30->161 169 5 other signatures 30->169 50 ramez.exe 30->50         started        99 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 34->99 dropped 101 C:\Users\user\AppData\Local\...\cecho.exe, PE32 34->101 dropped 103 C:\Users\user\AppData\Local\...103SudoLG.exe, PE32+ 34->103 dropped 105 2 other malicious files 34->105 dropped 53 cmd.exe 1 34->53         started        163 Uses cmd line tools excessively to alter registry or file data 36->163 165 Uses schtasks.exe or at.exe to add and modify task schedules 36->165 167 Uses the nircmd tool (NirSoft) 36->167 55 4nIbLQJM.exe 3 36->55         started        58 conhost.exe 36->58         started        60 conhost.exe 38->60         started        62 schtasks.exe 1 38->62         started        64 nircmd.exe 40->64         started        66 conhost.exe 40->66         started        68 3 other processes 40->68 signatures11 process12 file13 113 Antivirus detection for dropped file 50->113 115 Detected unpacking (changes PE section rights) 50->115 117 Contains functionality to start a terminal service 50->117 121 5 other signatures 50->121 119 Uses cmd line tools excessively to alter registry or file data 53->119 70 chcp.com 1 53->70         started        72 cmd.exe 53->72         started        74 reg.exe 53->74         started        79 19 other processes 53->79 89 C:\Temper\WARUQdBr.exe, PE32 55->89 dropped 91 C:\Temper\7VgZHt5Q.exe, PE32 55->91 dropped 76 cmd.exe 64->76         started        signatures14 process15 signatures16 81 Conhost.exe 70->81         started        83 tasklist.exe 72->83         started        85 Conhost.exe 74->85         started        145 Uses cmd line tools excessively to alter registry or file data 76->145 87 conhost.exe 76->87         started        process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/27f2027604353b1507e63502de699e1b14a9a29cb26678d84071fab4d9077803
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27f2027604353b1507e63502de699e1b14a9a29cb26678d84071fab4d9077803/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-06-13 10:41:25 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7zae5qegu5rkb7ggubn42m6dmkktiu4wjthrwcaoh5ljwihpabq._file
Verdict:
malicious
Label(s):
admintool_nsudo
Create hunting rule
admintool_nircmd
Create hunting rule
Similar samples:
0ce35fb5b0e488c9788f8672843381bb7ea315f6f4dc4caf342f5600d846388d
Vidar
1defba7528dbe3ad50bf9b5ccf3d638526ff195d0294ceed46c4212959a8e7d7
Vidar
2bfce22fc02c24cab6f486e3d8ef7891f831490369e65147a624679d0896a7a2
Vidar
4049bdaefcdf4e8a2aee595a67bd15f7c3f53f1ca374a53382c6048f9c4e2782
Vidar
704b1b43c773726f24eddef87de963f1d03d8e1640737bf2dd36625a272e5836
Vidar
927db4706134f1ec875c68974b94c1ba796d7a90fc52ee1daac405af66a28bfa
Vidar
aa0dba12ae35dcc03ffdebfaf1ddc320dbe4b21c31a58fb94d4f6edc64bf7e13
Vidar
c2e5d3aa5cdb9f0c24930a475aa9f352e5df925c22318f7891a398b2628edd3a
Vidar
ee917837709e8adb58d0ec7630392eea77943f85271932dd2cfdac2968eb81f3
Vidar
error
Vidar
fc2180afb29f384ffa93978298fddbc3e9208dc40117f16044dfa1b53a7e5b90
Vidar
+ 114 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:gurcu family:lumma family:quasar family:salatstealer family:vidar botnet:5828200e1e0f595ba667ca6d813d02c7 botnet:8d33eb botnet:inj3ct0r 711 collection credential_access defense_evasion discovery execution persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250613-mqq9ysxzgt/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
AsyncRat
Asyncrat family
Detect SalatStealer payload
Detect Vidar Stealer
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Modifies WinLogon for persistence
Quasar RAT
Quasar family
Quasar payload
Salatstealer family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
salatstealer
Malware Config
C2 Extraction:
http://185.156.72.96
https://battlefled.top/gaoi
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://stochalyqp.xyz/alfp
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://saokwe.xyz/plxa/api
https://shootef.world/api
https://peppinqikp.xyz/xaow
https://t.me/gu77xt
https://steamcommunity.com/profiles/76561199863931286
https://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/sendMessage?chat_id=6299414420
injtest.ooguy.com:6666
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/90f2aa9d-1d6f-47cf-a2a0-49b78daa2b4b
Unpacked files
SH256 hash:
27f2027604353b1507e63502de699e1b14a9a29cb26678d84071fab4d9077803
MD5 hash:
53027822476420b0d4e1b0cd560797f3
SHA1 hash:
21dad3d4ff5af4921384b1c203538e93372550d3
Link:
https://www.unpac.me/results/4f16d07d-7dcf-4ad1-b1d0-f6296f74af23/
SH256 hash:
c2608c4dd74d040ae35315124412b8df9cd5ec25e09d8236206a5c6690cc7c36
MD5 hash:
94b43fddcb7fa2ad417bbe581ee615fe
SHA1 hash:
72fd40370c02bb9b8afda0ccc487da647ffabfb5
Link:
https://www.unpac.me/results/4f16d07d-7dcf-4ad1-b1d0-f6296f74af23/
SH256 hash:
3db749b5fe914c90df8bd18fa6697af64fa9c58954fc83b61550298314d5c416
MD5 hash:
8bf6d466395215fbd464c0c09e56ae5d
SHA1 hash:
babe97ef7c6385a80220837ad79f8f79e652637a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/4f16d07d-7dcf-4ad1-b1d0-f6296f74af23/
SH256 hash:
c84f137961a8caa71b0f682cb7e5630903b2fb8c4bfc2c07b67ce8e8e64cbec4
MD5 hash:
3cb7fc75a8a38057df41d1b28d2a7ae7
SHA1 hash:
4b401504539cb9aa9aef4aa72b924a6d2d4883d1
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/4f16d07d-7dcf-4ad1-b1d0-f6296f74af23/
SH256 hash:
5e8c931661e485c009af604964591ee40d0c75975e63c3fc9edabb3bc30c3fcd
MD5 hash:
551e2442f06617e70f69fa95e6aa823a
SHA1 hash:
e701c768944db6e365f20ff153dbbb02ae52e7af
Link:
https://www.unpac.me/results/4f16d07d-7dcf-4ad1-b1d0-f6296f74af23/
SH256 hash:
bd1f4c1b3d7bb873accf04236da2848fb093c3457a3d1d4eb05986aeeebc420a
MD5 hash:
d23dbe0f8cbafb87033b9a7f01472ce3
SHA1 hash:
1c621b91969feead4e4531a93167d9d559030998
Link:
https://www.unpac.me/results/4f16d07d-7dcf-4ad1-b1d0-f6296f74af23/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/27f202760435/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27f2027604353b1507e63502de699e1b14a9a29cb26678d84071fab4d9077803

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:icarus
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked icarus malware samples.
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9312/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments