MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 14

Intelligence 14 IOCs YARA 14 File information Comments

SHA256 hash:	394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639
SHA3-384 hash:	8fb62f49a59a7183185e33b649f9e3b3f76b9ee8f16852fbc0ca339299447a9ee059cdf57f7849a4a8803f03dfd91ea1
SHA1 hash:	5e64ddec9f8cb35ed1791bb7b47fa8ffc6836d94
MD5 hash:	9aae289de2a344c8f84656da941a33c4
humanhash:	mirror-item-blossom-magnesium
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	207'872 bytes
First seen:	2026-01-23 10:02:54 UTC
Last seen:	2026-01-23 11:30:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ee53c10aff1d01eafea53328179e33a2 (8 x Vidar)
ssdeep	6144:/EXbKMoHeVu+kXDkc6q+hamEok0z86g7E6NiWg:8GMoHeVu+kwc6q+hrv8l
TLSH	T1921422C0B3B49DE5E34520F8821B53B775EA2A114FCABFD2A47F1E5191A09DDEC31A21
TrID	63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12) 24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.ICL) Windows Icons Library (generic) (2059/9) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 UPX vidar

Bitsight

url: http://130.12.180.43/files/7024015129/zrcKMfi.exe

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	207'872 bytes
File size (de-compressed) :	598'016 bytes
Format:	win64/pe
Unpacked file:	554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PEPacker

Details

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/a53794c5-1082-48f3-b67b-24132d88de4f/

Malware family:

vidar

ID:

File name:

_394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639.exe

Verdict:

Malicious activity

Analysis date:

2026-01-23 10:05:26 UTC

Tags:

stealer stealc vidar xor-url generic upx

Link:

https://app.any.run/tasks/aba4b012-1e2e-4533-82d7-f15f9ebc275a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49881/

Detection(s):

SecuriteInfo.com.FileRepMalware.42713374.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69734773bcad3327ec07f2bd

Tags:

ransomware obfuscated virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug fingerprint obfuscated packed packed packed upx vidar

Link:

https://www.filescan.io/uploads/6973476d55805a763ff23fe5/reports/c4e4c90e-441f-4dfd-8f1c-84dacf651677/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan-PSW.Win32.Vidar.d

Link:

https://opentip.kaspersky.com/394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7a67f847-c5ee-4e2c-8e0b-cd3c0f1bfaeb

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/9aae289de2a344c8f84656da941a33c4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hfdrpxgiu5er6vwqjwj7xxe5rliflzz344ufzxpgo26z4us6ay4q._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar stealer upx

Link:

https://tria.ge/reports/260123-l3j6qshs5f/

Behaviour

UPX packed file

Detects Vidar Stealer

Vidar

Vidar family

Unpacked files

SH256 hash:

394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639

MD5 hash:

9aae289de2a344c8f84656da941a33c4

SHA1 hash:

5e64ddec9f8cb35ed1791bb7b47fa8ffc6836d94

Link:

https://www.unpac.me/results/ea7384b2-d0ec-4284-aadd-6f0263b7a81e/

SH256 hash:

554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0

MD5 hash:

7c3a234867485ed7626cae2ef87eb559

SHA1 hash:

bc153e2f8fbf03703322b04c2d4f491fe274a9e5

Detections:

SUSP_XORed_URL_In_EXE

SUSP_XORed_Mozilla

Link:

https://www.unpac.me/results/ea7384b2-d0ec-4284-aadd-6f0263b7a81e/

Parent samples :

394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639
554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/394717dcc8a7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834