MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash:	554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0
SHA3-384 hash:	d776f1bb59942b2efe176807bfe4b93026e7d407b2a10772c494bf3fade6e3fe97d0c7fa8327458d1ec565cf04e7c70b
SHA1 hash:	bc153e2f8fbf03703322b04c2d4f491fe274a9e5
MD5 hash:	7c3a234867485ed7626cae2ef87eb559
humanhash:	chicken-massachusetts-zebra-missouri
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	598'016 bytes
First seen:	2026-01-23 10:03:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d0abae3ba8c9e5e9126893b543187d31 (8 x Vidar)
ssdeep	12288:0RwejsJEr1pyO4bjyWgev0Pbj4lpwXvjeuyHT0QQz8n5s:8wgsJEr1pyRjynI0juGLeuyHTx4w5s
TLSH	T1FFD41ABDAC60E336F60C90BEE286D3539E217C410236AA9319BE93241245973DB577FD
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	exe upx-dec vidar

abuse_ch

UPX decompressed file, sourced from SHA256 394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	207'872 bytes
File size (de-compressed) :	598'016 bytes
Format:	win64/pe
Packed file:	394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Vidar

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4192d552-c545-4936-bde8-4a585e6384bb/

Malware family:

vidar

ID:

File name:

_554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0.exe

Verdict:

Malicious activity

Analysis date:

2026-01-23 10:05:17 UTC

Tags:

stealer stealc vidar xor-url generic

Link:

https://app.any.run/tasks/74e6a1cf-77d5-433f-bf5b-44780323ba50

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49882/

Verdict:

Clean

Score:

50.0%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697347adf3cf908ba507a3b2

Tags:

n/a

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug base64 fingerprint obfuscated

Link:

https://www.filescan.io/uploads/697347a85db9ae47708f322a/reports/4220cfac-fad7-417c-81a5-c0eedd7b4ebf/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan-PSW.Win32.Vidar.gif Trojan-PSW.Win32.Vidar.d

Link:

https://opentip.kaspersky.com/554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/404363eb-c7a1-4c8b-92a4-92ca7af8a61a

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1856259

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect virtualization through RDTSC time measurements

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/7c3a234867485ed7626cae2ef87eb559

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kvcglnultioosc4vgomel6d7ohly2okfwu3n7bdlnxmaxmu722qa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260123-l35gnshs8c/

Unpacked files

SH256 hash:

554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0

MD5 hash:

7c3a234867485ed7626cae2ef87eb559

SHA1 hash:

bc153e2f8fbf03703322b04c2d4f491fe274a9e5

Detections:

SUSP_XORed_URL_In_EXE

SUSP_XORed_Mozilla

Link:

https://www.unpac.me/results/b1e53004-c290-427a-b456-574046e99993/

Parent samples :

394717dcc8a7491f56d04d93fbdc9d8ad055e73be7285cdde676bd9e525e0639
554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/554465b68b9a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/554465b68b9a1ce90b95339845f87f71d78d3945b536df846b6dd80bb29fd6a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution