MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6232ab81f91b3c5555378477d1e436d7cf10883ac63b4afdb7267e6751c0b140. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6232ab81f91b3c5555378477d1e436d7cf10883ac63b4afdb7267e6751c0b140
SHA3-384 hash: 67abd039aa5ea7bdb6d3011dfe5bdbc59cfed25a41e2e0b09ff6df1029f7223b7e408b5a06cb14c60dea024e2354ff82
SHA1 hash: 991df00ed5a1d6597753edc5ae22b2119d038431
MD5 hash: be70d2117dca44147af8f44cfd0db3d3
humanhash: washington-finch-coffee-uranus
File name:libcurl.dll
Download: download sample
Signature Vidar
Create hunting rule
File size:159'744 bytes
First seen:2025-06-18 07:29:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fbc10b849e0d7db09d95bae5700055e9 (1 x Vidar)
ssdeep 3072:WOAzIjnnaZ63+zpmNCIXqFlGlzqRyb7eDt1:WOAzGaZgKFqLut1
TLSH T11BF35B17A7A610BBE1678539C9831901FB727C164BA0AADF47600EB71E277E09E3D712
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:dll dllHijack vidar


Avatar
iamaachum
https://fileswoop.cloud/ZGE0ZWVlODKodVetnt89qFGsJaPmF6EH2N1TTHVpZD0xMg => https://mega.nz/file/qQ82hC7B#oNLLw_IqM741d07u6OFpSdsUVy6OTNf-m-GZ606dnRk

Intelligence

File Origin
# of uploads :
1
# of downloads :
543
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
libcurl.dll
Verdict:
Malicious activity
Analysis date:
2025-06-18 09:31:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b8f30a90-a058-489d-8533-715f6a837fde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9994/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6853dd047fd2eba8b33b1b28
Tags:
dropper virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Labled as:
Cerbu.Generic
Link:
https://www.hybrid-analysis.com/sample/6232ab81f91b3c5555378477d1e436d7cf10883ac63b4afdb7267e6751c0b140
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ed85fd5a-ffc3-48ee-a08c-0b3567d6f75d
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1717197
Signature
Contains functionality to determine the online IP of the system
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1717197 Sample: libcurl.dll.exe Startdate: 18/06/2025 Architecture: WINDOWS Score: 64 31 Multi AV Scanner detection for submitted file 2->31 33 Sigma detected: System File Execution Location Anomaly 2->33 35 Joe Sandbox ML detected suspicious sample 2->35 37 Sigma detected: Files With System Process Name In Unsuspected Locations 2->37 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 3 7->9         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 2 other processes 7->17 file5 29 C:\Users\user\AppData\Local\...\rundll32.exe, PE32+ 9->29 dropped 39 Contains functionality to determine the online IP of the system 9->39 19 rundll32.exe 9->19         started        21 rundll32.exe 9->21         started        23 rundll32.exe 9->23         started        27 32 other processes 9->27 25 rundll32.exe 13->25         started        signatures6 process7
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6232ab81f91b3c5555378477d1e436d7cf10883ac63b4afdb7267e6751c0b140
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/be70d2117dca44147af8f44cfd0db3d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6232ab81f91b3c5555378477d1e436d7cf10883ac63b4afdb7267e6751c0b140/
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-06-17 10:53:25 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mizkxapzdm6fkvjxqr35dzbw27hrbcb2yy5uv7nxez7gouoawfaa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/250618-jfr7qawjy8/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c465e7f2-6035-4ace-bdbe-beb846290111
Unpacked files
SH256 hash:
6232ab81f91b3c5555378477d1e436d7cf10883ac63b4afdb7267e6751c0b140
MD5 hash:
be70d2117dca44147af8f44cfd0db3d3
SHA1 hash:
991df00ed5a1d6597753edc5ae22b2119d038431
Link:
https://www.unpac.me/results/21266855-e052-4ba9-8924-fd75c5b71e9d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

7z 82948da99da3fd6155587bed4bbb48f8246511683dfb29b23a8e3811a7d5621a

Vidar

Executable exe 6232ab81f91b3c5555378477d1e436d7cf10883ac63b4afdb7267e6751c0b140

(this sample)

Vidar

Executable exe fc54dc9015290f23dc058771656c5e27d46b429238d0879f86c9003f5c66d8c2

  
Link
https://tria.ge/250617-yrrgwsttfw/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9994/
  
Dropping
SHA256 fc54dc9015290f23dc058771656c5e27d46b429238d0879f86c9003f5c66d8c2
  
Dropping
MD5 d991cdfecbc9de3bef9863efffac4d36
  
Dropped by
SHA256 82948da99da3fd6155587bed4bbb48f8246511683dfb29b23a8e3811a7d5621a
  
Dropped by
MD5 f53a5244b6eea00f75879b5167720bf1

Comments