MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041
SHA3-384 hash: b6139cf7d6f0e0bcf7b83ec44bca3b0b8e593231711acb6eeb88870994ca5d21a1ae9566ddc65c7576839d2669a93f53
SHA1 hash: 39056aaddf601d6cf0cb3788c349c5140bc9fcc2
MD5 hash: bb3d76f75c234302cf4beb5eefaa300e
humanhash: leopard-connecticut-low-arkansas
File name:oStarteZ.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:2'805'248 bytes
First seen:2025-10-28 06:11:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (235 x Vidar, 92 x Rhadamanthys, 89 x Stealc)
ssdeep 49152:iVlyf3IdAv5zuda7TzNRUzAiPnOt0esKQ/jZm:inq5uUTzXsSfQ/
TLSH T185D57C077C9408A5C0A9A23088669552FB39BC459B3227E73FC0BB3D2F77AD05E79758
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 0000000000000000 (898 x AgentTesla, 540 x Formbook, 316 x RedLineStealer)
Reporter abuse_ch
Tags:de-pumped exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
_2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041.exe
Verdict:
Malicious activity
Analysis date:
2025-10-28 06:13:54 UTC
Tags:
stealer stealc vidar xor-url generic golang
Link:
https://app.any.run/tasks/15a70f69-b116-4e2d-8869-a122881f2cf4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34376/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69005edf5c3edf10df531506
Tags:
emotet cobalt
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm golang installer
Link:
https://www.filescan.io/uploads/69005ed83a79800405fa1190/reports/55af7737-9905-4252-a238-60946e4588b1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-28T03:19:00Z UTC
Last seen:
2025-10-29T09:04:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Win64.Generic Trojan-PSW.Vidar.HTTP.C&C Trojan-PSW.Stealerc.TCP.C&C Trojan-PSW.Stealerc.HTTP.C&C
Link:
https://opentip.kaspersky.com/2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6d55c806-3e5b-482b-bc06-ade869a8bfbe
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802913
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sets debug register (to hijack the execution of another thread)
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802913 Sample: oStarteZ.exe Startdate: 28/10/2025 Architecture: WINDOWS Score: 100 51 iit.teba-forexport.com 2->51 53 telegram.me 2->53 55 28 other IPs or domains 2->55 87 Suricata IDS alerts for network traffic 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 2 other signatures 2->93 8 oStarteZ.exe 21 2->8         started        12 msedge.exe 2->12         started        14 msedge.exe 2->14         started        signatures3 process4 dnsIp5 79 iit.teba-forexport.com 46.224.14.87, 443, 49722, 49723 DADEHGOSTAR-ASAS12880-DataCommunicationCompanyofIran Iran (ISLAMIC Republic Of) 8->79 81 telegram.me 149.154.167.99, 443, 49721 TELEGRAMRU United Kingdom 8->81 95 Tries to harvest and steal browser information (history, passwords, etc) 8->95 97 Sets debug register (to hijack the execution of another thread) 8->97 99 Writes to foreign memory regions 8->99 103 7 other signatures 8->103 16 msedge.exe 8->16         started        19 chrome.exe 1 8->19         started        22 chrome.exe 1 8->22         started        32 9 other processes 8->32 83 239.255.255.250 unknown Reserved 12->83 101 Maps a DLL or memory area into another process 12->101 24 msedge.exe 12->24         started        26 msedge.exe 12->26         started        28 msedge.exe 12->28         started        34 2 other processes 12->34 30 msedge.exe 14->30         started        signatures6 process7 dnsIp8 85 Monitors registry run keys for changes 16->85 36 msedge.exe 16->36         started        57 192.168.2.4, 138, 443, 49300 unknown unknown 19->57 38 chrome.exe 19->38         started        41 chrome.exe 22->41         started        59 part-0042.t-0009.t-msedge.net 13.107.246.70, 443, 49850, 49851 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->59 61 part-0042.t-0009.fb-t-msedge.net 13.107.253.70, 443, 49840 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->61 63 38 other IPs or domains 24->63 43 chrome.exe 32->43         started        45 chrome.exe 32->45         started        47 chrome.exe 32->47         started        49 5 other processes 32->49 signatures9 process10 dnsIp11 65 www.google.com 142.250.69.164, 443, 49736, 49739 GOOGLEUS United States 38->65 71 4 other IPs or domains 38->71 73 3 other IPs or domains 41->73 67 142.250.217.68, 443, 49777, 49778 GOOGLEUS United States 43->67 75 2 other IPs or domains 43->75 69 142.250.73.132, 443, 49809, 49810 GOOGLEUS United States 49->69 77 2 other IPs or domains 49->77
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/bb3d76f75c234302cf4beb5eefaa300e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041
Threat name:
Win64.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2025-10-28 06:12:46 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
12 of 23 (52.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f4x7qdjpy3o3tx6nonzf4p6dtuttexh5vtneh76nv4xtextjabaq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251028-gyecgaslfp/
Verdict:
Malicious
Tags:
Stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/a310330c-e215-4f81-bca9-6c30782c4cf8
Unpacked files
SH256 hash:
2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041
MD5 hash:
bb3d76f75c234302cf4beb5eefaa300e
SHA1 hash:
39056aaddf601d6cf0cb3788c349c5140bc9fcc2
Link:
https://www.unpac.me/results/271398fc-5108-4870-aec8-5bdb109cfb13/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f2ff80d2fc6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Vidar

zip f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f

Vidar

Executable exe 2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041

(this sample)

  
Dropped by
MD5 b970f8ea65c2ce8b4dbedc766e94024f
  
Dropped by
SHA256 f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f
Cape
Cape
https://www.capesandbox.com/analysis/34376/

Comments