MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b0ad428d233a5a100dfa9464088ab08b090cbbee4a99ffeb27fde2ae80d2657. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 14 File information Comments

SHA256 hash:	2b0ad428d233a5a100dfa9464088ab08b090cbbee4a99ffeb27fde2ae80d2657
SHA3-384 hash:	f82573937007ffbaa372ae3907acd9e5d8610ad06ae866142d7761ec074102bce125932296c968e7378e33dd2e943847
SHA1 hash:	3db4b2cac6205a265dc8ca82a63c39474f5f9301
MD5 hash:	308a0d04da7a149c1ffa45c295decdb7
humanhash:	east-hawaii-lima-pasta
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	840'292 bytes
First seen:	2025-11-19 16:08:45 UTC
Last seen:	2025-11-19 19:30:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f1a6a29381d34d1d69615d960835021d (1 x Vidar)
ssdeep	12288:rD2AAFjN7uWRz7SKcod4rm0SXSmTz2GnC7/V2ngDhveuz4DMjqSbHIXArz91E8dL:r63K7ov3P/RnOwn2xFz4gjqoIXArJP37
TLSH	T1B1051257B3B120F5D1678235D8A62613EB7278221B615EEF03E04777AE236D09D3EB21
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 vidar

Bitsight

url: http://178.16.55.189/files/6608710704/3ogammp.exe

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-11-19 16:10:10 UTC

Tags:

stealer stealc vidar xor-url generic

Link:

https://app.any.run/tasks/5170f6e4-f22b-47bf-8c92-ce6b62711554

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38684/

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691debb227c5936d7d0dca71

Tags:

injection obfusc virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Behavior that indicates a threat

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

microsoft_visual_cc overlay

Link:

https://www.filescan.io/uploads/691debad534ca666aaf26c1d/reports/053ddc81-363a-4127-aa32-42762ff90f8a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2b0ad428d233a5a100dfa9464088ab08b090cbbee4a99ffeb27fde2ae80d2657

Result

Gathering data

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/bc0faba7-9a3e-4a5b-a150-d043c89e7f34

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2b0ad428d233a5a100dfa9464088ab08b090cbbee4a99ffeb27fde2ae80d2657

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/308a0d04da7a149c1ffa45c295decdb7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2b0ad428d233a5a100dfa9464088ab08b090cbbee4a99ffeb27fde2ae80d2657/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/2b0ad428d233a5a100dfa9464088ab08b090cbbee4a99ffeb27fde2ae80d2657

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fmfnikgsgos2cag7vfdebcflbcyjbs564suz77vsp7pcv2anezlq._file

Verdict:

malicious

Label(s):

vidar

Similar samples:

error

Vidar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:84e42d300ee8418e5c66fe2628453a7c discovery spyware stealer

Link:

https://tria.ge/reports/251119-tlxphasjcw/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detects Vidar Stealer

Vidar

Vidar family

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561198767911792

Verdict:

Malicious

Tags:

Stealc

YARA:

n/a

Link:

https://app.threat.zone/submission/bc67b144-15dc-43d4-a07e-e9aec96a7f12

Unpacked files

SH256 hash:

2b0ad428d233a5a100dfa9464088ab08b090cbbee4a99ffeb27fde2ae80d2657

MD5 hash:

308a0d04da7a149c1ffa45c295decdb7

SHA1 hash:

3db4b2cac6205a265dc8ca82a63c39474f5f9301

Link:

https://www.unpac.me/results/25fb4961-26a8-43d5-8103-5d41334c9d32/

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2b0ad428d233/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2b0ad428d233a5a100dfa9464088ab08b090cbbee4a99ffeb27fde2ae80d2657

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)