MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f
SHA3-384 hash: 9b5bc519eb1b5961dcbccd6f1865f72120e4d2d5fd7f4bd646e7f196e3f0a95fe533a4d1f823935cc17773c1f609544d
SHA1 hash: d86d2a0653f79a5a77125e8b6332562ee60a3533
MD5 hash: f32396dd4324f6feebdb4122f7a4e80c
humanhash: illinois-sweet-delta-hotel
File name:4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f.dll
Download: download sample
Signature Vidar
Create hunting rule
File size:1'640'960 bytes
First seen:2026-04-09 05:41:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea54e4894a303b4ac278980d4a4a5608 (2 x Vidar)
ssdeep 24576:X1jEwWjAHjti2nv2yoI44PZjNDmg7bkbUTVgKs+bRg:FuUHZBvvPZHq2g
Threatray 17 similar samples on MalwareBazaar
TLSH T187759E30A9DD4DD1F197B0F12E3661EEA2A3618353F4668B12D68F0A1B2743D47E3AD1
TrID 60.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
14.6% (.EXE) Win64 Executable (generic) (6522/11/2)
11.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.5% (.EXE) OS/2 Executable (generic) (2029/13)
4.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:dll exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
vidar
Create hunting rule
ID:
1
File name:
https://www.youtube.com/redirect?event=backstage_event&redir_token=QUFFLUhqbG9QaTgtUGJ6dWpHdmdLQlNEQkEtZWtiRUx3QXxBQ3Jtc0trMzRaa3ZXUUtqdW5NYjQ0RVQxMG5rdGJoa1MzTVJWU05EblN3OVk5cG1MTWFpNkNyT2UzVDIyeVhnYzRIbmRJSHU0dDdMTEwzZ0xZNmwtUzR4blF2eTNGNzBOdG5sdEZWOHJsd1F3S3cxUmtaZlpSaw&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fo8h4qsk8yig9m%2F33
Verdict:
Malicious activity
Analysis date:
2026-04-08 22:41:23 UTC
Tags:
fingerprinting vidar stealer
Link:
https://app.any.run/tasks/019ff7d1-3f49-43ae-8bb9-fa6313e388a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60885/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.28757377.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d72cfa66ab6d001dd07cfc
Tags:
malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm masquerade microsoft_visual_cc unsafe
Link:
https://www.filescan.io/uploads/69d73c3e799d5bf325f3bce7/reports/9f47ef83-9fa5-4b89-84b3-6424a6d9af9a/overview
Verdict:
Malicious
Labled as:
Downloader.Generic
Link:
https://www.hybrid-analysis.com/sample/4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f
Verdict:
Malicious
File Type:
dll x64
First seen:
2026-04-09T01:55:00Z UTC
Last seen:
2026-04-09T14:04:00Z UTC
Hits:
~100
Detections:
VHO:Trojan.Win64.Agent.gen Trojan.Win32.Agent.xcdkuu
Link:
https://opentip.kaspersky.com/4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/92d48bc3-c3ab-4500-97e7-ba0e04c87920
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1895682
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1895682 Sample: EfTXvaQMmT.exe Startdate: 09/04/2026 Architecture: WINDOWS Score: 100 64 xandrpme-ms-geo.trafficmanager.net 2->64 66 www-msn-com.a-0003.a-msedge.net 2->66 68 46 other IPs or domains 2->68 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 4 other signatures 2->94 9 loaddll64.exe 1 2->9         started        11 msedge.exe 2->11         started        14 msedge.exe 2->14         started        signatures3 process4 dnsIp5 16 rundll32.exe 21 9->16         started        20 cmd.exe 1 9->20         started        22 rundll32.exe 9->22         started        32 9 other processes 9->32 70 192.168.2.10, 443, 49674, 49681 unknown unknown 11->70 72 239.255.255.250 unknown Reserved 11->72 24 msedge.exe 11->24         started        26 msedge.exe 11->26         started        28 msedge.exe 11->28         started        30 msedge.exe 14->30         started        process6 dnsIp7 52 185.56.45.248, 443, 49681, 49682 ITILITY-LIMITEDInternetServiceProviderGB United Kingdom 16->52 74 System process connects to network (likely due to code injection or exploit) 16->74 76 Found API chain indicative of debugger detection 16->76 78 Tries to harvest and steal browser information (history, passwords, etc) 16->78 82 6 other signatures 16->82 34 msedge.exe 16->34         started        37 msedge.exe 16->37         started        39 chrome.exe 16->39         started        41 rundll32.exe 20->41         started        80 Modifies the context of a thread in another process (thread injection) 22->80 54 china.bing123.com 202.89.233.100, 443, 49766 MMAISNETMicrosoftMobileAllianceInternetServicesCoLt China 24->54 56 202.89.233.101, 443, 49772 MMAISNETMicrosoftMobileAllianceInternetServicesCoLt China 24->56 58 38 other IPs or domains 24->58 43 WerFault.exe 20 16 32->43         started        signatures8 process9 signatures10 84 Monitors registry run keys for changes 34->84 45 msedge.exe 34->45         started        47 msedge.exe 37->47         started        49 chrome.exe 39->49         started        86 Modifies the context of a thread in another process (thread injection) 41->86 process11 dnsIp12 60 www.google.com 142.251.154.119, 443, 49721, 49722 GOOGLEUS United States 49->60 62 sb.scorecardresearch.com 49->62
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f/
Verdict:
Malicious
Threat:
Family.VIDAR
Link:
https://tip.neiki.dev/file/4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f
Threat name:
Win64.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2026-04-09 04:37:17 UTC
File Type:
PE+ (Dll)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwq67z4zjoc5dnszdql72ir326kinpazk4hluzwd6bybfzpwkjhq._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
12e88279a1be82a6627219dc806a9e2a2dfb3a5aaad55a5c10826977135b1ed9
Vidar
4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f
Vidar
6d557467cdb0b20561acab3c95707230dded7798732430d9aff2b9c7f885ae0c
Vidar
793e3afbce88e9498cfdc273db4e40b57cae2bd6de10f392c83a162b94c7e1ad
Vidar
8b7ab7f5a37f55fa529ca5b1470b9bccf219b0f3b62928c85eb140d7d4d805d2
Vidar
9b83791bba1a2384a3f49d4c3abd96debfc2bced8a1fd7456810befd48b1dbfe
Vidar
c00452a801075e2dbcbee8fcb0aa7d60f166fa682ba62c30378feffa4acf2f38
Vidar
e525580984668787035cbf64143cbccda605bbd3bc688c714bdb6045034b4a3e
Vidar
error
Vidar
f7e6b836a488e7e96ba82d4bc983bf05f9a96fc34a00bb194a522099b120abb5
Vidar
+ 7 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:6b617ac1498e35b0448dfd2dca80714c collection discovery spyware stealer
Link:
https://tria.ge/reports/260409-gd6k8aaw6p/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Detects Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://185.56.45.248
https://telegram.me/nwwfh8
https://steamcommunity.com/profiles/76561198719385745
Unpacked files
SH256 hash:
4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f
MD5 hash:
f32396dd4324f6feebdb4122f7a4e80c
SHA1 hash:
d86d2a0653f79a5a77125e8b6332562ee60a3533
Link:
https://www.unpac.me/results/501e08c1-0492-4f46-8148-c9e9bd005c18/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4da1efe7994b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4da1efe7994b85d1b6591c17fd223bd79486bc19570eba66c3f07012e5f6524f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60885/

Comments