MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c958205aa4c56b148377b2bd984a7b3b6525bbc914cf8e5aaa34ce91f71d4cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Vidar


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments

SHA256 hash: 4c958205aa4c56b148377b2bd984a7b3b6525bbc914cf8e5aaa34ce91f71d4cc
SHA3-384 hash: e8dc85aa456eb31c050eda2f409379e73f63d6d42c2fe3fef512537d3d12f48993e0cbc48a95ac591cef3c2c3143e455
SHA1 hash: 9024d7171e44331efc5cbeb580558deb47b1af4d
MD5 hash: 55ad3c515562be0c5b5bae109e0bc745
humanhash: hotel-iowa-seventeen-ten
File name:kythy.exe
Download: download sample
Signature Vidar
File size:12'097'322 bytes
First seen:2026-07-12 07:23:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (24 x HijackLoader, 23 x GhostPulse, 14 x ValleyRAT)
ssdeep 196608:+pvWnuS9X6aeGBq43Xp4K9spg1GMSstK8S2JEK8XQlsps5eRXg:+piL9KaNBjXpOmUcJEK/lsOei
Threatray 108 similar samples on MalwareBazaar
TLSH T179C633463B55B9FBCD50D23C4F1DF7F38AB0E6A128218BDB498A4D223E9764612478F1
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.8% (.EXE) Win64 Executable (generic) (6522/11/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (23 x GhostPulse, 23 x HijackLoader, 11 x LummaStealer)
Reporter BlinkzSec
Tags:vidar

Intelligence


File Origin
# of uploads :
1
# of downloads :
63
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
ID:
1
File name:
_4c958205aa4c56b148377b2bd984a7b3b6525bbc914cf8e5aaa34ce91f71d4cc.exe
Verdict:
Malicious activity
Analysis date:
2026-07-12 07:26:20 UTC
Tags:
hijackloader loader snappyclient rat stealer stealc vidar

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context downloader evasive fingerprint hijackloader installer installer installer-heuristic microsoft_visual_cc overlay packed reconnaissance
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan.Win64.DllHijack.gen
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-07-12 07:19:32 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:hijackloader family:vidar botnet:0465cc06397a50a1f9c08b9f78ed6cf2 credential_access discovery loader spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detects HijackLoader (aka IDAT Loader)
Family: HijackLoader, IDAT loader, Ghostulse,
Family: Vidar
Malware Config
C2 Extraction:
https://94.130.41.8
https://telegram.me/af97ri
https://steamcommunity.com/profiles/76561198680197300
Unpacked files
SH256 hash:
4c958205aa4c56b148377b2bd984a7b3b6525bbc914cf8e5aaa34ce91f71d4cc
MD5 hash:
55ad3c515562be0c5b5bae109e0bc745
SHA1 hash:
9024d7171e44331efc5cbeb580558deb47b1af4d
SH256 hash:
13168b4293875821534ca8c2ca5eda601532e768f31b3ef04b2c6ae021227dba
MD5 hash:
21a786d3a1fcce2a1c527ae67644aac7
SHA1 hash:
33c4f26a927eee5a7793f741a22e789d39c97c09
SH256 hash:
26bfb5ad454d32397047c2b1d96cecfb0216e4ae217d33c60bcd7bd8c1e52c99
MD5 hash:
c0edff7c142c084d8f1e470b1138fd30
SHA1 hash:
47a59314c9c3f777051158715acf5fcb1010c306
SH256 hash:
2915c7b486e23dc458bd16594ba2eecb2d0095c3951315f366e43efb57f6e025
MD5 hash:
ad3c4cbc2908156b83a529c67d70bc3d
SHA1 hash:
a009657e848a95d252ab754d5ef4c123f76a7218
SH256 hash:
a547c74ad96ea0b47a7057575fd0e4e177a6f720aeb5ad2cb7f3660e1a1a4eca
MD5 hash:
5a8211758c0cc5d06c8100631895ee1d
SHA1 hash:
ae8f24695049ba4e1eeeb423e565d0f26acf4eb8
SH256 hash:
eeb3cd436f4d285f666ed0d0522b72c4773134b28c3431d5356b0a52b849db04
MD5 hash:
36733f9e38dda5c00434be5321ec013a
SHA1 hash:
af65d2eed824ace7fda9ff491018ba89756f54ea
SH256 hash:
7143911cdfb49c34d4bcde212362edeb1a64ddce897f31d2f821f049257c8340
MD5 hash:
7a1960cdbdf123b33bebbc01288f883b
SHA1 hash:
b16b6640d3ef73d14d7152cda384c8dde60fbff1
SH256 hash:
5f2c90d35852edfee08d5158c02103f69d202bfb6b0097f467e7e64d58cfa4f6
MD5 hash:
89378f387cd34b19e300b9904f9e7180
SHA1 hash:
d08e4aeaa5bc8d6bbfdd8768c928b55166381d17
Malware family:
SHADOWLADDER
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 4c958205aa4c56b148377b2bd984a7b3b6525bbc914cf8e5aaa34ce91f71d4cc

(this sample)

  
Delivery method
Distributed via web download

Comments