MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5
SHA3-384 hash: fd2417b946c6b05486318cf314de9b502b8b8426fc37890dc5ffbb74b1563441d445ea8cb49ba1b577c8d621033580c8
SHA1 hash: 46538a5c152db2371aba700111de21c32845bc23
MD5 hash: 9aa518c8f33fbabb7a86695265b4b842
humanhash: apart-undress-grey-sweet
File name:app.hta
Download: download sample
Signature Vidar
Create hunting rule
File size:4'752 bytes
First seen:2026-02-12 17:33:15 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:NDEE/6K1EXuLot7KAYlKU0ZWh8aAHy5BW08F0vL+fKo3mMCJU5LorW:6E/HHLzAYlKM8a55Bh8F0vLZxMCJUNl
TLSH T1D3A185B1873102D873A201D9096DD25110E0C26BAC5DF68DB74DE9C19F95B83833EBF6
Magika html
Reporter abuse_ch
Tags:ClickFix hta vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698e0f1476589225f665f43a
Tags:
obfuscate xtreme overt
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5/results/dashboard
Payload URLs
URL
File name
https://gardenscup.com/36b42c47/e62d154f1b.msi
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm bitsadmin evasive lolbin powershell
Link:
https://www.filescan.io/uploads/698e0f13c9bfb60ece1f0152/reports/d4ee2303-706a-4dc1-8906-fdad4460e4e3/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5
Verdict:
Malicious
File Type:
hta
First seen:
2026-02-12T14:41:00Z UTC
Last seen:
2026-02-13T12:59:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.Generic Trojan-Downloader.JS.SLoad.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic Trojan-Downloader.Win32.Bitser.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5/results?tab=lookup
Result
Threat name:
HTMLPhisher
Create hunting rule
Detection:
malicious
Classification:
phis.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1868613
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Process Parents
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to download files via bitsadmin
Yara detected BlockedWebSite
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1868613 Sample: app.hta Startdate: 12/02/2026 Architecture: WINDOWS Score: 96 28 gardenscup.com 2->28 34 Antivirus detection for URL or domain 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected BlockedWebSite 2->38 40 4 other signatures 2->40 8 mshta.exe 3 2->8         started        signatures3 process4 dnsIp5 30 gardenscup.com 104.21.93.12, 443, 49689, 49692 CLOUDFLARENETUS United States 8->30 42 Suspicious powershell command line found 8->42 44 Tries to download files via bitsadmin 8->44 46 Tries to download and execute files (via powershell) 8->46 48 Bypasses PowerShell execution policy 8->48 12 curl.exe 2 8->12         started        16 powershell.exe 15 15 8->16         started        18 bitsadmin.exe 1 8->18         started        signatures6 process7 dnsIp8 32 127.0.0.1 unknown unknown 12->32 26 C:\Users\user\AppData\...\browserservices.msi, HTML 12->26 dropped 20 conhost.exe 12->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        file9 process10
Score:
39%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html
Link:
https://app.malva.re/file/9aa518c8f33fbabb7a86695265b4b842
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Link:
https://tip.neiki.dev/file/4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2026-02-12 17:34:20 UTC
File Type:
Text (HTML)
Extracted files:
2
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvxfumst6qy5xef7cbdk2fzydut632i7vsmnjc2elwrojbgfht2q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery dropper execution
Link:
https://tria.ge/reports/260212-v5g9lac19c/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
Malware Config
Dropper Extraction:
https://gardenscup.com/36b42c47/e62d154f1b.msi
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MalScript_Tricks
Create hunting rule
Author:@bartblaze
Description:Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

HTML Application (hta) hta 4d6e5a3253f431db90bf1046ad17381d27ede91fac98d48b445da2e484c53cf5

(this sample)

Vidar

Microsoft Software Installer (MSI) msi fea31e901389f476014152795ffe55103f575b48845e3a744e3e7be3071605b1

  
URLhaus
https://urlhaus.abuse.ch/url/3776548/
  
URLhaus
https://threatfox.abuse.ch/ioc/1746930/
  
Dropping
MD5 3a47f0b9220bfb50e9340329c3195196
  
Dropping
SHA256 fea31e901389f476014152795ffe55103f575b48845e3a744e3e7be3071605b1
  
Dropping
Vidar
  
Delivery method
Distributed via web download

Comments