MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d
SHA3-384 hash:	010f76eda697d07de9b1f196c64ca8f24c44cfb215928f1000000fc2d040932ba1bb3bf4af33e279bb70fbe0328ba226
SHA1 hash:	9b10971b06e5006b1a8e26b6e1bd9d78937ac04d
MD5 hash:	9dbb42ae9eefbfc024ca44d181f162e0
humanhash:	cold-bulldog-orange-echo
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	289'280 bytes
First seen:	2025-11-10 18:34:19 UTC
Last seen:	2025-11-10 20:18:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	31e06ec6723bcc3b75c69a4521e4b8f5 (15 x Vidar)
ssdeep	6144:ToABOecMb/CLTsCjxAzMycHoBvOYKGT/ePOIJzg6Q7iu7tSl:TTBZcM2ppTQ7IOlF7tQ
TLSH	T189542358928624F9DB5DA5F215C88FE85E00AA847FDF4DF6FF26020F2E421E9704D8D9
TrID	63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12) 24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.ICL) Windows Icons Library (generic) (2059/9) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 UPX vidar

Bitsight

url: http://178.16.54.200/files/6589084083/mCa4SRR.exe

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	289'280 bytes
File size (de-compressed) :	645'120 bytes
Format:	win64/pe
Unpacked file:	49638f6213db4974235e8ae136207bad7dc4384caf9a32eee226544956f66e09

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-11-10 18:35:52 UTC

Tags:

xor-url generic upx

Link:

https://app.any.run/tasks/df9fee7a-1dd0-4247-9d76-47661f411178

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/36725/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.32123491.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6912306aac1ae236e17926e3

Tags:

emotet cobalt

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Behavior that indicates a threat

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug crypto fingerprint hacktool obfuscated packed packed packed upx

Link:

https://www.filescan.io/uploads/69123068935d9f0d73ca8bd9/reports/bc979f57-daf9-4a2f-b0fa-d7556b219761/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-10T15:50:00Z UTC

Last seen:

2025-11-12T15:58:00Z UTC

Hits:

~100

Detections:

VHO:Trojan-PSW.Win32.Convagent.gen VHO:Trojan.Win32.GenericML.xnet

Link:

https://opentip.kaspersky.com/30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9d7f9ea8-e015-4481-876c-6cbbad266d72

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/9dbb42ae9eefbfc024ca44d181f162e0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d

Threat name:

Win64.Spyware.Vidar

Status:

Malicious

First seen:

2025-11-10 18:35:17 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gc754zlu7au3r65kpja6poww7iwgjuckqm4yksfgsnjkhhy4mmoq._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:22f67419da90df85517388468397d53c campaign:/k0ddr stealer upx

Link:

https://tria.ge/reports/251110-w8gmxadz4c/

Behaviour

UPX packed file

Detects Vidar Stealer

Vidar

Vidar family

Malware Config

C2 Extraction:

https://telegram.me/k0ddr
https://steamcommunity.com/profiles/76561198772659493

Verdict:

Malicious

Tags:

Stealc

YARA:

n/a

Link:

https://app.threat.zone/submission/83dfdb7a-f377-4a30-8a99-2d8be1b6990f

Unpacked files

SH256 hash:

30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d

MD5 hash:

9dbb42ae9eefbfc024ca44d181f162e0

SHA1 hash:

9b10971b06e5006b1a8e26b6e1bd9d78937ac04d

Link:

https://www.unpac.me/results/32ceb31d-9987-4493-9ed6-c145d6df49b0/

SH256 hash:

49638f6213db4974235e8ae136207bad7dc4384caf9a32eee226544956f66e09

MD5 hash:

8dc8a26921d5827b559ce1bb37c641a6

SHA1 hash:

6c61e7b608b5e2113fc4b9beeb71580042403dc6

Detections:

SUSP_XORed_URL_In_EXE

Link:

https://www.unpac.me/results/32ceb31d-9987-4493-9ed6-c145d6df49b0/

Parent samples :

49638f6213db4974235e8ae136207bad7dc4384caf9a32eee226544956f66e09
30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/30bfde6574f8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/30bfde6574f829b8fbaa7a41e7bad6fa2c64d04a83398548a69352a39f1c631d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)