MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55966f97ce10dd86da33f62b7746c8cad16589f4861b8aa37cee2d7d39454407. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55966f97ce10dd86da33f62b7746c8cad16589f4861b8aa37cee2d7d39454407
SHA3-384 hash: 533b03b4534aa4bff623dcbe75032633ec2bf8f1f1562ae5946dfc13de0ebe4744de0e53807880e70d03d71344af2ab3
SHA1 hash: d0b3f7ced5206d52c6460be04461d7ce0ea1919f
MD5 hash: 6fd7426df231b69c65c52ab8b0883ee7
humanhash: sad-april-louisiana-yellow
File name:6FD7426DF231B69C65C52AB8B0883EE7.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:3'360'213 bytes
First seen:2025-06-18 16:21:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:7B6scRCBgsmzTpcCMgiYwCVFdHE+zudai1sGWRGdy7mf3dMSpgfx8j96NXvK7go:F0AGlzT3Rjdk+tesGWcxfBp+xi6ZS7go
Threatray 2'890 similar samples on MalwareBazaar
TLSH T162F5334175C684B2F0B619B35F3E775159BCAA104F7189CFE3850A6EFA624C1C731AB2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter abuse_ch
Tags:Amadey exe vidar


Avatar
abuse_ch
Amadey C2:
http://89.150.35.144/cpuProcessDatalifeuploads.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://89.150.35.144/cpuProcessDatalifeuploads.php https://threatfox.abuse.ch/ioc/1546342/

Intelligence

File Origin
# of uploads :
1
# of downloads :
460
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
6FD7426DF231B69C65C52AB8B0883EE7.exe
Verdict:
Malicious activity
Analysis date:
2025-06-18 17:22:59 UTC
Tags:
amadey botnet stealer loader auto-reg unlocker-eject tool rdp evasion remote xworm telegram stealc lumma auto arch-exec vidar auto-startup autoit github rat quasar ims-api generic themida ip-check
Link:
https://app.any.run/tasks/4a92fed9-ad08-424a-adbf-1476c44ecd77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10038/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6852e7dff89e43b214563ca6
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% subdirectories
Launching a service
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm autoit evasive fingerprint fingerprint installer keylogger microsoft_visual_cc overlay overlay packed packer_detected sfx
Link:
https://www.filescan.io/uploads/6852e7b53faf8fcd7d345386/reports/b29e1a4b-35dd-4073-a651-3a42052f5f64/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/55966f97ce10dd86da33f62b7746c8cad16589f4861b8aa37cee2d7d39454407
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16924676-556a-485a-8af9-dd7b53ef0cce
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1717793
Signature
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717793 Sample: 5rUCsJBpSx.exe Startdate: 18/06/2025 Architecture: WINDOWS Score: 100 109 185.156.72.96 ITDELUXE-ASRU Russian Federation 2->109 111 www.google.com 2->111 113 b0x.inj3ct0rc.com 2->113 129 Suricata IDS alerts for network traffic 2->129 131 Found malware configuration 2->131 133 Multi AV Scanner detection for submitted file 2->133 135 11 other signatures 2->135 11 5rUCsJBpSx.exe 6 2->11         started        14 bGQLNsVZ.exe 2->14         started        signatures3 process4 file5 95 C:\Temper\bGQLNsVZ.exe, PE32 11->95 dropped 97 C:\Temper\RzqPFwLV.exe, PE32 11->97 dropped 17 bGQLNsVZ.exe 11->17         started        149 Binary is likely a compiled AutoIt script file 14->149 20 XnJzvKwn.exe 14->20         started        22 gJJcnhiU.exe 14->22         started        24 cmd.exe 14->24         started        26 cmd.exe 14->26         started        signatures6 process7 signatures8 121 Multi AV Scanner detection for dropped file 17->121 123 Binary is likely a compiled AutoIt script file 17->123 125 Found API chain indicative of sandbox detection 17->125 28 XnJzvKwn.exe 11 17->28         started        32 gJJcnhiU.exe 4 17->32         started        34 cmd.exe 1 17->34         started        36 cmd.exe 1 17->36         started        38 cmd.exe 20->38         started        127 Contains functionality to start a terminal service 22->127 40 ramez.exe 22->40         started        42 conhost.exe 24->42         started        44 RzqPFwLV.exe 24->44         started        46 2 other processes 26->46 process9 file10 99 C:\ProgramData\Work\nircmd.exe, PE32+ 28->99 dropped 101 C:\ProgramData\Work101SudoLG.exe, PE32+ 28->101 dropped 103 C:\ProgramData\kjHDZkQ.bat, Unicode 28->103 dropped 107 2 other files (none is malicious) 28->107 dropped 139 Multi AV Scanner detection for dropped file 28->139 48 cmd.exe 1 28->48         started        105 C:\Users\user\AppData\Local\...\ramez.exe, PE32 32->105 dropped 141 Contains functionality to start a terminal service 32->141 51 ramez.exe 32->51         started        143 Uses cmd line tools excessively to alter registry or file data 34->143 145 Uses schtasks.exe or at.exe to add and modify task schedules 34->145 147 Uses the nircmd tool (NirSoft) 34->147 53 RzqPFwLV.exe 3 34->53         started        56 conhost.exe 34->56         started        58 conhost.exe 36->58         started        60 schtasks.exe 1 36->60         started        62 nircmd.exe 38->62         started        64 conhost.exe 38->64         started        66 3 other processes 38->66 signatures11 process12 file13 115 Uses cmd line tools excessively to alter registry or file data 48->115 68 cmd.exe 48->68         started        70 reg.exe 48->70         started        72 conhost.exe 48->72         started        77 15 other processes 48->77 117 Multi AV Scanner detection for dropped file 51->117 119 Contains functionality to start a terminal service 51->119 91 C:\Temper\gJJcnhiU.exe, PE32 53->91 dropped 93 C:\Temper\XnJzvKwn.exe, PE32 53->93 dropped 74 cmd.exe 62->74         started        signatures14 process15 signatures16 79 tasklist.exe 68->79         started        81 Conhost.exe 70->81         started        137 Uses cmd line tools excessively to alter registry or file data 74->137 83 conhost.exe 74->83         started        85 nircmd.exe 74->85         started        87 chcp.com 74->87         started        89 2 other processes 74->89 process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/55966f97ce10dd86da33f62b7746c8cad16589f4861b8aa37cee2d7d39454407
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55966f97ce10dd86da33f62b7746c8cad16589f4861b8aa37cee2d7d39454407/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/55966f97ce10dd86da33f62b7746c8cad16589f4861b8aa37cee2d7d39454407
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-16 02:55:00 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
18 of 38 (47.37%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwlg7f6ocdoynwrt6yvxorwizliwlcpuqynyvi345ywx2okfiqdq._file
Verdict:
malicious
Label(s):
admintool_nircmd
Create hunting rule
amadey
Create hunting rule
Similar samples:
0531385e6e2b3db7e69c70008ef57a7f584c8c96ae7cc2afb40346b908737734
Vidar
080784c30b5680a3fefbbe6ae23e2466e60904c0b3ae379643ba7b697989eff0
Vidar
0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2
Vidar
42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff
Vidar
46b2de15860d23bb541610209f307d5007f3811b0cdfcf3860f3a7d76ae42d5b
Vidar
73d11b942cccf29476ab5bc1c01990f7c863399d96b462a23b976788b592f0ac
Vidar
8544c6f789db47dc9b0b9033bef41857b054069ad6e492983f0fa3d2ccfdeb9a
Vidar
error
Vidar
f767fa2879dc1d53e423e63f9d7773611002594c63fcfc0f02cf42bdee5b4731
Vidar
fde200c40d6c011ace31762d5319a218b226dcde4caec63a673e08c46ebf9a25
Vidar
+ 2'880 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:lumma family:vidar botnet:134a99af84d89e52fd8ed41f0b105a0b botnet:8d33eb collection defense_evasion discovery execution infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250618-tvzv8attd1/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
DcRat
Dcrat family
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Malware Config
C2 Extraction:
http://185.156.72.96
https://t.me/wm33in
https://steamcommunity.com/profiles/76561199867001399
https://shootef.world/api
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://stochalyqp.xyz/alfp
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://peppinqikp.xyz/xaow
Dropper Extraction:
http://185.156.72.2/testmine/random.exe
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d3405e7e-0ba5-4ec2-9b76-39c7cd19c4ec
Unpacked files
SH256 hash:
55966f97ce10dd86da33f62b7746c8cad16589f4861b8aa37cee2d7d39454407
MD5 hash:
6fd7426df231b69c65c52ab8b0883ee7
SHA1 hash:
d0b3f7ced5206d52c6460be04461d7ce0ea1919f
Link:
https://www.unpac.me/results/b7d00d8c-ff2d-4ca5-ad02-d8b4ad1dbc6b/
SH256 hash:
d08c0710c6dbda5a99391406cec4676a5f2391a471f2c3969449c630a886a673
MD5 hash:
7f6c7f927087e8e18aec4de21ff8edcf
SHA1 hash:
5838126fbf89714bfb04585c996a38348f6a6db8
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/b7d00d8c-ff2d-4ca5-ad02-d8b4ad1dbc6b/
SH256 hash:
d71190efceeafc3df1fb2577492a27169c5cc6a41bde433e5d69184049786c0c
MD5 hash:
2787269bc1c0e8a5a9cac77eb6b739fc
SHA1 hash:
e34634f2295e8d0b673208941ac025862bcec3e9
Link:
https://www.unpac.me/results/b7d00d8c-ff2d-4ca5-ad02-d8b4ad1dbc6b/
SH256 hash:
4aaa9c24bf6db605fb5a9bc2da72d04924aac73210120fe9086039926a46e9d9
MD5 hash:
fa116d12f1168c79a84193ad1517c4db
SHA1 hash:
8eed0ec6fffcafe578734ae089e896faffa042c2
Link:
https://www.unpac.me/results/b7d00d8c-ff2d-4ca5-ad02-d8b4ad1dbc6b/
SH256 hash:
797c55191f22449d00bc0d9f89585bfaa6e282563d99fd3f25e87de1e0d0348f
MD5 hash:
565a0d3b95add6c297c167b986134563
SHA1 hash:
71251272b8d2acaad8ea3c42bc900007a1b7dbd6
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/b7d00d8c-ff2d-4ca5-ad02-d8b4ad1dbc6b/
SH256 hash:
bd1f4c1b3d7bb873accf04236da2848fb093c3457a3d1d4eb05986aeeebc420a
MD5 hash:
d23dbe0f8cbafb87033b9a7f01472ce3
SHA1 hash:
1c621b91969feead4e4531a93167d9d559030998
Link:
https://www.unpac.me/results/b7d00d8c-ff2d-4ca5-ad02-d8b4ad1dbc6b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55966f97ce10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55966f97ce10dd86da33f62b7746c8cad16589f4861b8aa37cee2d7d39454407

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:icarus
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked icarus malware samples.
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/10038/

Comments