MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 18


Intelligence 18 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0
SHA3-384 hash: 8845b323685a430e2869e996f5035d9dafea42ed1ab62ec1579a5aedd2a5d3e7307c7e024a7c85ad30576e955561966d
SHA1 hash: 4ee1fb056218b85f39cd3a35c702aebf00d78f25
MD5 hash: 1684e9b9f85aaf93d1a90063d386b67f
humanhash: harry-michigan-oxygen-football
File name:1684e9b9f85aaf93d1a90063d386b67f.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:9'137'152 bytes
First seen:2025-02-26 07:08:17 UTC
Last seen:2025-02-26 07:21:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep 49152:zHc0LD04voQr6iZAhhG4YDLduYWnqjoN4KWj4gCCOWuyO0CSgA5QkWhVoUcNvE01:bc0LlXZAC/D3KnabOte3KVIYEnjuq
Threatray 6 similar samples on MalwareBazaar
TLSH T1ED963951F9FB04F5EA03587018A7622F27345E098B66DBD7DA107F69E837ED10A33229
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon e4e9899c98b1f264 (1 x Vidar)
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
490
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
1684e9b9f85aaf93d1a90063d386b67f.exe
Verdict:
Malicious activity
Analysis date:
2025-02-26 07:12:37 UTC
Tags:
golang vidar stealer telegram
Link:
https://app.any.run/tasks/6eac337c-4431-4999-9247-e0cc10ab41bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.9999.4113.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bebe65a0fd713c335ce663
Tags:
emotet virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto golang obfuscated
Link:
https://www.filescan.io/uploads/67bebe1760f4b4f0724ca7b8/reports/ddcd70c5-80f0-4269-9905-aa33f346f88c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07a93b0c-b903-4f49-b6f7-a0c1abd12a9d
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1624336
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1624336 Sample: dwpk5JGAxF.exe Startdate: 26/02/2025 Architecture: WINDOWS Score: 100 43 fua.4t.com 2->43 45 t.me 2->45 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 5 other signatures 2->75 9 dwpk5JGAxF.exe 2->9         started        12 msedge.exe 613 2->12         started        signatures3 process4 signatures5 77 Writes to foreign memory regions 9->77 79 Allocates memory in foreign processes 9->79 81 Injects a PE file into a foreign processes 9->81 14 BitLockerToGo.exe 29 9->14         started        18 msedge.exe 12->18         started        20 msedge.exe 12->20         started        22 msedge.exe 12->22         started        24 msedge.exe 12->24         started        process6 dnsIp7 57 fua.4t.com 94.130.190.206, 443, 49708, 49709 HETZNER-ASDE Germany 14->57 59 t.me 149.154.167.99, 443, 49707 TELEGRAMRU United Kingdom 14->59 61 127.0.0.1 unknown unknown 14->61 85 Attempt to bypass Chrome Application-Bound Encryption 14->85 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->87 89 Found many strings related to Crypto-Wallets (likely being stolen) 14->89 91 5 other signatures 14->91 26 msedge.exe 2 11 14->26         started        29 chrome.exe 8 14->29         started        32 cmd.exe 14->32         started        63 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 49767 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->63 65 ax-0001.ax-msedge.net 150.171.28.10, 443, 49766 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->65 67 28 other IPs or domains 18->67 signatures8 process9 dnsIp10 83 Monitors registry run keys for changes 26->83 34 msedge.exe 26->34         started        53 192.168.2.8, 138, 443, 49414 unknown unknown 29->53 55 239.255.255.250 unknown Reserved 29->55 36 chrome.exe 29->36         started        39 conhost.exe 32->39         started        41 timeout.exe 32->41         started        signatures11 process12 dnsIp13 47 www.google.com 142.250.185.228, 443, 49717, 49719 GOOGLEUS United States 36->47 49 play.google.com 142.250.185.78, 443, 49733 GOOGLEUS United States 36->49 51 2 other IPs or domains 36->51
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-25 09:25:09 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvfcksq6h4lxjumi3aocf5g3dhim2plli7vqgtwpzuk2kzt2iwqa._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
00f17690a2eb58bddfc6a0f11c532590f2f44a476a0157cdcb9c52c5dc35c15d
Vidar
3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0
Vidar
40fed52e5934fcad07361ef15fa31a9de473e1ec40bef353c3e69d2d22785414
Vidar
4f21fa7d1daaab88aaa4ffccab5145e36a6ee21ef9da888338f47ed2eafffee1
Vidar
efff026f46c677e98f53e834d1f074030d2a33d93289f9bbaa26c47451d63989
Vidar
error
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar credential_access discovery spyware stealer
Link:
https://tria.ge/reports/250226-hywgesxmt6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsecured Credentials: Credentials In Files
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/g02f04
https://steamcommunity.com/profiles/76561199828130190
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0d960265-1dbc-46a4-9e3e-228b86416fe0
Unpacked files
SH256 hash:
3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0
MD5 hash:
1684e9b9f85aaf93d1a90063d386b67f
SHA1 hash:
4ee1fb056218b85f39cd3a35c702aebf00d78f25
Link:
https://www.unpac.me/results/c22e63c3-f70a-40a2-b2fb-f29cc1c997df/
SH256 hash:
437fdcc018ba583ee68ca2b914a217471173daa7b6fc5a79734d800398b91c3e
MD5 hash:
255558e13f9c7a3404f83f951d6f5be1
SHA1 hash:
4941eb7d71d45f1d873caf57f9e9f035a4a27c0b
Detections:
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/c22e63c3-f70a-40a2-b2fb-f29cc1c997df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452051/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleW
kernel32.dll::SetConsoleCtrlHandler
kernel32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetSystemDirectoryA

Comments