MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1
SHA3-384 hash: 73478e6de888115762c8037a20671e9ab1fec43114cd052f40d02a2092efbcd5c27e777fbdb4967e2cc1e27af0c572eb
SHA1 hash: a301459db1d273638466416ab65fbdfe9e140f40
MD5 hash: 8fdb219fabb4894354480b592c2d91b2
humanhash: steak-single-carbon-speaker
File name:ScreenSetup.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:264'704 bytes
First seen:2025-09-08 11:31:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a5c518aecd79406fb233328c40c0c693 (1 x Vidar)
ssdeep 6144:fcZTFgmBZ1HZ+pW67AR5DRyxwNijBhsYwSGN1l:fcwmBZNZUWREakhsak
Threatray 10 similar samples on MalwareBazaar
TLSH T152449D11BED1C433C52749329879CB7A8F7EB8A14F71AAD763C40ABECE205D09B25716
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
NewTextDocumentmod.exe
Verdict:
Malicious activity
Analysis date:
2025-09-08 07:43:33 UTC
Tags:
amadey botnet stealer hausbomber lumma anti-evasion vidar telegram stealc github python gcleaner loader miner purecrypter xmrig autoit evasion snake keylogger
Link:
https://app.any.run/tasks/87d582b7-7694-4916-ad1b-c08ad78bf427

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26240/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bebeb0b20052598878f999
Tags:
dridex emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a process from a recently created file
Connecting to a non-recommended domain
Creating a file
DNS request
Sending a custom TCP request
Launching a file downloaded from the Internet
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint microsoft_visual_cc obfuscated similar-threat
Link:
https://www.filescan.io/uploads/68bebed4f8dfdcef3a08e151/reports/032e619a-9a43-47fe-99d0-7ce704e15ee6/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-07T18:17:00Z UTC
Last seen:
2025-09-07T18:17:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.AUO.gen HEUR:Backdoor.Win32.Agent.gen Trojan-PSW.Win32.Vidar.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Downloader.Win32.Generic Trojan-Banker.Win32.ClipBanker.sb Trojan-Banker.Win32.ClipBanker.aezf Trojan-Banker.Win32.Express.sb Backdoor.Agent.UDP.C&C Trojan-PSW.Win32.Stealerc.sb Trojan-Downloader.Agent.HTTP.C&C BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c9f972d-b82d-419c-8464-5b6a1c044726
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1773056
Signature
Adds a directory exclusion to Windows Defender
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1773056 Sample: ScreenSetup.exe Startdate: 08/09/2025 Architecture: WINDOWS Score: 100 87 db.vm.masterclasstonewow.com 2->87 89 t.me 2->89 91 36 other IPs or domains 2->91 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 7 other signatures 2->125 10 ScreenSetup.exe 1 16 2->10         started        15 msedge.exe 2->15         started        17 msedge.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 109 88.214.50.76, 49681, 80 M247GB Russian Federation 10->109 77 C:\Users\user\AppData\Local\...\589A.tmp.exe, PE32+ 10->77 dropped 79 C:\Users\user\AppData\Local\...\SyncAI[1].exe, PE32+ 10->79 dropped 137 Found evasive API chain (may stop execution after checking mutex) 10->137 21 589A.tmp.exe 16 10->21         started        111 239.255.255.250 unknown Reserved 15->111 26 msedge.exe 15->26         started        28 msedge.exe 17->28         started        113 127.0.0.1 unknown unknown 19->113 file6 signatures7 process8 dnsIp9 93 141.98.6.190, 49690, 5554 CMCSUS Germany 21->93 73 C:\Users\user\AppData\Local\...\dowe.exe, PE32+ 21->73 dropped 75 C:\Users\user\AppData\Local\...\kaplpa[1].exe, PE32+ 21->75 dropped 127 Multi AV Scanner detection for dropped file 21->127 129 Suspicious powershell command line found 21->129 131 Found API chain indicative of debugger detection 21->131 133 Adds a directory exclusion to Windows Defender 21->133 30 dowe.exe 21->30         started        34 powershell.exe 23 21->34         started        36 powershell.exe 22 21->36         started        38 3 other processes 21->38 95 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49792, 49796 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->95 97 ln-0007.ln-msedge.net 150.171.22.17, 443, 49787, 49808 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->97 103 24 other IPs or domains 26->103 99 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49816 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->99 101 23.57.90.106, 443, 49807, 49838 AKAMAI-ASUS United States 28->101 105 21 other IPs or domains 28->105 file10 signatures11 process12 dnsIp13 115 db.vm.masterclasstonewow.com 5.75.211.194, 443, 49692, 49693 HETZNER-ASDE Germany 30->115 117 t.me 149.154.167.99, 443, 49691 TELEGRAMRU United Kingdom 30->117 139 Multi AV Scanner detection for dropped file 30->139 141 Attempt to bypass Chrome Application-Bound Encryption 30->141 143 Contains functionality to inject threads in other processes 30->143 147 6 other signatures 30->147 40 msedge.exe 30->40         started        43 msedge.exe 30->43         started        45 msedge.exe 30->45         started        55 18 other processes 30->55 145 Loading BitLocker PowerShell Module 34->145 47 conhost.exe 34->47         started        49 conhost.exe 36->49         started        51 conhost.exe 38->51         started        53 conhost.exe 38->53         started        signatures14 process15 dnsIp16 135 Monitors registry run keys for changes 40->135 58 msedge.exe 40->58         started        60 msedge.exe 43->60         started        62 msedge.exe 45->62         started        107 192.168.2.7, 138, 443, 49333 unknown unknown 55->107 64 chrome.exe 55->64         started        67 chrome.exe 55->67         started        69 chrome.exe 55->69         started        71 4 other processes 55->71 signatures17 process18 dnsIp19 81 www.google.com 142.251.35.164, 443, 49716, 49717 GOOGLEUS United States 64->81 83 142.251.40.228, 443, 49741, 49742 GOOGLEUS United States 67->83 85 142.250.80.68, 443, 49757, 49758 GOOGLEUS United States 69->85
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/8fdb219fabb4894354480b592c2d91b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1
Threat name:
Win32.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2025-09-07 22:57:36 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gylelilkkt6nflnuwoceyjphmyf4p67vff7ata5zhre5hhrgs7qq._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
1f2af392cafd75426312e4862f6a1cedd40982bb0d49ca85f101fb60109b2b3f
Vidar
361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1
Vidar
58817bec65f9b5e99077cea5c6fff5fb68af2179b3df84897e04a648687deaf0
Vidar
5f809fd6dfd4a9835a59270b0a82fa23d4b7be207729892f58d4ed0f1cd0ea23
Vidar
error
Vidar
f0311927554d2cc8d96fdcc7756851ce6020e33ac2663a736dca2ad4fd411d48
Vidar
fa346f12fbf02f7c7a9d81366d832cc505644089363ae7120d238a85f7ddff1f
Vidar
fbe61e458f558ee98c0edd7acfa28cbac26f750c2481e6cb796ce3f536d3a009
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery execution stealer
Link:
https://tria.ge/reports/250908-nnkj3awtcw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Vidar Stealer
Vidar
Vidar family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d9918690-ad0c-4a99-bcd5-4b90598ef12e
Unpacked files
SH256 hash:
361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1
MD5 hash:
8fdb219fabb4894354480b592c2d91b2
SHA1 hash:
a301459db1d273638466416ab65fbdfe9e140f40
Link:
https://www.unpac.me/results/1cdc59bf-2496-4263-87ba-962760c29b7e/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/361645a16a54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 361645a16a54fcd2adb4b3844c25e7660bc7fbf5297e0983b93c49d39e2697e1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3616708/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26240/

Comments