MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b
SHA3-384 hash: 310f490fe867c0275b3c9ce3b03bdde22e9c44f5aa19944539bbe44a59e65ffb08ee8d54043abf5bdbf0900ae659d953
SHA1 hash: a218c7baec2e75110e47708cbf9d32aaf2d02e77
MD5 hash: 79203f5bcdc94c7a643aa55160372e6a
humanhash: burger-connecticut-four-texas
File name:79203f5bcdc94c7a643aa55160372e6a.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:2'135'040 bytes
First seen:2025-03-18 07:54:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:qvVEn6nvIqRSnB4GPkctL61qgSCMHo/P6CJI9Lqj4wQx:J6nvXSB46kctL6AoMHo6CJI9Lf
Threatray 14 similar samples on MalwareBazaar
TLSH T103A512973BFCF52EDE0EA033944A2E18D47A0DE58463A68653846C3B472B3F5CF95489
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
79203f5bcdc94c7a643aa55160372e6a.exe
Verdict:
Malicious activity
Analysis date:
2025-03-18 08:47:18 UTC
Tags:
amadey botnet stealer loader opendir lumma vidar telegram darkvision remote themida rdp auto generic
Link:
https://app.any.run/tasks/b91bc416-e532-4556-b7a1-14a3e92c7c1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d9401b3962f1a6f47295cb
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/88503794-5c15-4ca2-941b-aaf554915e05
Result
Threat name:
Amadey, DarkVision Rat, LummaC Stealer,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1641386
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates autostart registry keys with suspicious names
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Binaries Write Suspicious Extensions
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade analysis by execution special instruction (VM detection)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Costura Assembly Loader
Yara detected DarkVision Rat
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected PersistenceViaHiddenTask
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1641386 Sample: 6xdW3oRY63.exe Startdate: 18/03/2025 Architecture: WINDOWS Score: 100 120 weaponwo.life 2->120 122 t.p.formaxprime.co.uk 2->122 124 15 other IPs or domains 2->124 146 Suricata IDS alerts for network traffic 2->146 148 Found malware configuration 2->148 150 Malicious sample detected (through community Yara rule) 2->150 152 32 other signatures 2->152 11 rapes.exe 2 36 2->11         started        16 6xdW3oRY63.exe 5 2->16         started        18 Path.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 134 176.113.115.6, 49693, 49694, 49696 SELECTELRU Russian Federation 11->134 136 176.113.115.7, 49699, 49707, 49742 SELECTELRU Russian Federation 11->136 138 2 other IPs or domains 11->138 108 C:\Users\user\AppData\...\b4bfc494cd.exe, PE32 11->108 dropped 110 C:\Users\user\AppData\Local\...\amnew.exe, PE32 11->110 dropped 112 C:\Users\user\AppData\Local\...\KX7TDcm.exe, PE32 11->112 dropped 118 9 other malicious files 11->118 dropped 228 Contains functionality to start a terminal service 11->228 230 Creates multiple autostart registry keys 11->230 232 Hides threads from debuggers 11->232 242 2 other signatures 11->242 22 8sb9w_003.exe 3 1 11->22         started        25 b4bfc494cd.exe 11->25         started        28 KX7TDcm.exe 11->28         started        33 4 other processes 11->33 114 C:\Users\user\AppData\Local\...\rapes.exe, PE32 16->114 dropped 116 C:\Users\user\...\rapes.exe:Zone.Identifier, ASCII 16->116 dropped 234 Detected unpacking (changes PE section rights) 16->234 236 Tries to evade debugger and weak emulator (self modifying code) 16->236 238 Tries to detect virtualization through RDTSC time measurements 16->238 31 rapes.exe 16->31         started        240 Multi AV Scanner detection for dropped file 18->240 file6 signatures7 process8 dnsIp9 178 Antivirus detection for dropped file 22->178 180 Query firmware table information (likely to detect VMs) 22->180 198 6 other signatures 22->198 35 svchost.exe 3 7 22->35         started        40 cmd.exe 1 22->40         started        102 C:\Users\user\AppData\Local\...\25g4obIHQ.hta, HTML 25->102 dropped 182 Binary is likely a compiled AutoIt script file 25->182 184 Creates HTA files 25->184 42 mshta.exe 25->42         started        44 cmd.exe 25->44         started        140 weaponwo.life 188.114.96.3 CLOUDFLARENETUS European Union 28->140 186 Detected unpacking (changes PE section rights) 28->186 188 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->188 190 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->190 200 5 other signatures 28->200 192 Multi AV Scanner detection for dropped file 31->192 194 Contains functionality to start a terminal service 31->194 196 Tries to evade debugger and weak emulator (self modifying code) 31->196 142 t.me 149.154.167.99, 443, 49705 TELEGRAMRU United Kingdom 33->142 144 t.p.formaxprime.co.uk 78.47.63.132, 443, 49708, 49709 HETZNER-ASDE Germany 33->144 104 C:\Users\user\AppData\Local\...\00000029.exe, PE32+ 33->104 dropped 106 C:\Users\user\AppData\Local\...\futors.exe, PE32 33->106 dropped 202 3 other signatures 33->202 46 00000029.exe 33->46         started        48 futors.exe 33->48         started        50 cmd.exe 33->50         started        52 3 other processes 33->52 file10 signatures11 process12 dnsIp13 126 82.29.67.160, 443, 49700, 49702 NTLGB United Kingdom 35->126 128 grabify.link 104.26.9.202, 443, 49697, 49698 CLOUDFLARENETUS United States 35->128 90 C:\Users\user\AppData\Local\Temp\...\cls.exe, PE32+ 35->90 dropped 92 C:\ProgramData\...\ps.exe, PE32+ 35->92 dropped 94 C:\ProgramData\...\ps.bat, PNG 35->94 dropped 154 Benign windows process drops PE files 35->154 156 Creates autostart registry keys with suspicious names 35->156 158 Creates multiple autostart registry keys 35->158 160 Searches for specific processes (likely to inject) 35->160 54 ps.exe 35->54         started        59 cls.exe 35->59         started        61 cmd.exe 35->61         started        162 Adds a directory exclusion to Windows Defender 40->162 63 powershell.exe 23 40->63         started        65 conhost.exe 40->65         started        164 Suspicious powershell command line found 42->164 166 Tries to download and execute files (via powershell) 42->166 67 powershell.exe 42->67         started        168 Uses schtasks.exe or at.exe to add and modify task schedules 44->168 69 conhost.exe 44->69         started        71 schtasks.exe 44->71         started        96 C:\Users\user\AppData\Roaming\...\Path.exe, PE32+ 46->96 dropped 170 Antivirus detection for dropped file 46->170 172 Multi AV Scanner detection for dropped file 46->172 174 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->174 176 Contains functionality to start a terminal service 48->176 73 powershell.exe 50->73         started        file14 signatures15 process16 dnsIp17 130 104.168.28.10, 49716, 49719, 49722 AS-COLOCROSSINGUS United States 54->130 132 127.0.0.1 unknown unknown 54->132 98 C:\Windows\Temp\5i0H4g11_3216.sys, PE32+ 54->98 dropped 204 Query firmware table information (likely to detect VMs) 54->204 206 Adds a directory exclusion to Windows Defender 54->206 208 Sample is not signed and drops a device driver 54->208 210 Tries to evade analysis by execution special instruction (VM detection) 54->210 75 powershell.exe 54->75         started        78 powershell.exe 54->78         started        212 Found direct / indirect Syscall (likely to bypass EDR) 59->212 80 conhost.exe 61->80         started        214 Loading BitLocker PowerShell Module 63->214 100 TempZHFNDXPCIDHMLDIJUAFFWNVGJZE1PQGM.EXE, PE32 67->100 dropped 216 Powershell drops PE file 67->216 82 TempZHFNDXPCIDHMLDIJUAFFWNVGJZE1PQGM.EXE 67->82         started        84 conhost.exe 67->84         started        file18 signatures19 process20 signatures21 218 Loading BitLocker PowerShell Module 75->218 86 conhost.exe 75->86         started        88 conhost.exe 78->88         started        220 Antivirus detection for dropped file 82->220 222 Tries to detect sandboxes and other dynamic analysis tools (window names) 82->222 224 Tries to evade debugger and weak emulator (self modifying code) 82->224 226 Tries to detect sandboxes / dynamic malware analysis system (registry check) 82->226 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-17 20:57:59 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g6gwob2tt4ca5ic5ttt2hlgpnjaq7dbmjl6b6czwmii6eudsen5q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
darkvisionrat
Create hunting rule
idatloader
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
02596ab86597670e98b7d1fa7cf26fd3a01a012f1e73eae0dbbdf55db80b6149
Vidar
1285fdb82e7930812a9c52e680143cea311d8b147cb7aa8b6ea3637e8b94a9fc
Vidar
26d09f46d3cc20583ea59a17a3ea6eb482b1e7171bf7a98f17032b2606f7bbdd
Vidar
52bab11bbaca42a156276889ffac368534c9b77611bcfa341104f75ea2c08be1
Vidar
9b49dad54f6489a7ee2e7cd6f52a90e6105e7be66b0f000c9a6fff6a24cd0ed7
Vidar
d4717111251ccd87aed19d387a50770f795dda04d454a97ebe53b27ea3afe1fb
Vidar
error
Vidar
f3d0d3f441f11c9dac99ee9e44b0df25fb424ad8fa13584a917aca56261c2a54
Vidar
+ 4 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:lumma family:stealc family:vidar botnet:092155 botnet:trump credential_access defense_evasion discovery dropper evasion execution persistence pyinstaller spyware stealer trojan upx
Link:
https://tria.ge/reports/250318-jrl5va1kt3/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Detects Healer an antivirus disabler dropper
Healer
Healer family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender TamperProtection settings
Modifies Windows Defender notification settings
Stealc
Stealc family
Vidar
Vidar family
Malware Config
C2 Extraction:
http://176.113.115.6
https://absoulpushx.life/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://9modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
https://.cocjkoonpillow.today/api
https://zfeatureccus.shop/api
https://mrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://yhtardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://latchclan.shop/api
https://9garagedrootz.top/api
https://modelshiverd.icu/api
https://ksterpickced.digital/api
https://kbracketba.shop/api
https://featureccus.shop/api
https://htardwarehu.icu/api
http://45.93.20.28
https://codxefusion.top/api
Dropper Extraction:
http://176.113.115.7/mine/random.exe
Verdict:
Malicious
Tags:
darkvision_rat
YARA:
n/a
Link:
https://app.threat.zone/submission/ffb8d56f-a539-4700-b849-8cdfc58a3cde
Unpacked files
SH256 hash:
378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b
MD5 hash:
79203f5bcdc94c7a643aa55160372e6a
SHA1 hash:
a218c7baec2e75110e47708cbf9d32aaf2d02e77
Link:
https://www.unpac.me/results/98c60510-20da-475c-afae-c1312216f2aa/
SH256 hash:
2d8d97ac3ad0c53a2e4c413841f77314f6fb038b3f609663a1aa5217b22bbadb
MD5 hash:
9722982f9b8d2b8da4b37475f8b7b5fa
SHA1 hash:
1770127b871fbf01f265243caf53edcf1927fc33
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/98c60510-20da-475c-afae-c1312216f2aa/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/378d6707539f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3460858/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments