MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 15

Intelligence 15 IOCs YARA 13 File information Comments

SHA256 hash:	383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57
SHA3-384 hash:	e75d276779a357c4641431e0db556652e079879740e4d24963e8af55139ec00163569eb3c7bf57f20ed5ae25d2a61306
SHA1 hash:	4bd0e186c7ee144f3637d956d883fa6254136bb6
MD5 hash:	e26068bf8e2d04a17899d5ff6b17a379
humanhash:	tennessee-may-oregon-robin
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	207'872 bytes
First seen:	2026-01-18 11:26:28 UTC
Last seen:	2026-01-20 22:39:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ee53c10aff1d01eafea53328179e33a2 (13 x Vidar, 1 x XenoRAT)
ssdeep	6144:4vkpVOZtzLt/sldpnZdFYST5aC8uCFhWsTnl:4vq2tvtsldRFYca2CF4s
TLSH	T17914221EB02EA54FC5E909FA32552E5D3452809ECFC2FB973C0727D527246ABD85C2A3
TrID	63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12) 24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.ICL) Windows Icons Library (generic) (2059/9) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 UPX vidar

Bitsight

url: http://130.12.180.43/files/mr/random.exe

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	207'872 bytes
File size (de-compressed) :	598'016 bytes
Format:	win64/pe
Unpacked file:	694f6aa64421a86af2b630f3dfcaace14d6c9230574c2efc16ca17d4d7280a80

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PEPacker

Details

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/96443164-4bbc-4ebf-8f5c-b01c0c4e4175/

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-01-18 11:26:44 UTC

Tags:

xor-url generic upx

Link:

https://app.any.run/tasks/50a69031-90bb-447c-8fb0-82b9a1e11765

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49205/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696cc39557243ef151ce1227

Tags:

ransomware obfuscated virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug fingerprint obfuscated packed packed packed upx vidar

Link:

https://www.filescan.io/uploads/696cc391fdafd7624ab01858/reports/1545ad09-4a7c-401c-bfb1-555c88235105/overview

Verdict:

Malicious

Labled as:

HVM:TrojanDownloader/Lotok.ds

Link:

https://www.hybrid-analysis.com/sample/383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-01-18T08:36:00Z UTC

Last seen:

2026-01-18T10:36:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Win32.Vidar.gid PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Vidar.d

Link:

https://opentip.kaspersky.com/383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7f11d97f-f60b-4a3a-8b59-8aaa452f6bca

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57/

Verdict:

Malicious

Threat:

Family.VIDAR

Link:

https://tip.neiki.dev/file/383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57

Threat name:

Win64.Trojan.Vidar

Status:

Malicious

First seen:

2026-01-18 11:27:14 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ha7t5maueatebf4jeb37mu5v33yipunmibljgkhx5pazqangbzlq._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar stealer upx

Link:

https://tria.ge/reports/260118-nkf3gafv9g/

Behaviour

UPX packed file

Detects Vidar Stealer

Vidar

Vidar family

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fb8de7fc-f813-4a8e-ba69-6cff32c7c03e

Unpacked files

SH256 hash:

383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57

MD5 hash:

e26068bf8e2d04a17899d5ff6b17a379

SHA1 hash:

4bd0e186c7ee144f3637d956d883fa6254136bb6

Link:

https://www.unpac.me/results/0fc3869e-8581-4087-a3ca-5cf103bed85d/

SH256 hash:

694f6aa64421a86af2b630f3dfcaace14d6c9230574c2efc16ca17d4d7280a80

MD5 hash:

aceb8c716f600ca1ad67aa4561cbc3c2

SHA1 hash:

8c8cb364642382a47fd099054d6b33f1701ac47e

Detections:

SUSP_XORed_URL_In_EXE

SUSP_XORed_Mozilla

Link:

https://www.unpac.me/results/0fc3869e-8581-4087-a3ca-5cf103bed85d/

Parent samples :

694f6aa64421a86af2b630f3dfcaace14d6c9230574c2efc16ca17d4d7280a80
383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/383f3eb01420/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/383f3eb01420264097892077f653b5def087d1ac40569328f7ebc19801a60e57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834