MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62dc0b6893936702f480e29d00e7f335324f06fa82ac75f6985ff6e3810cff28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62dc0b6893936702f480e29d00e7f335324f06fa82ac75f6985ff6e3810cff28
SHA3-384 hash: 80f9e9c3e190295899fdd6a0e914e5c6005afe5b7babe8c1347beb4b39243ce42c30108c9f462e5b1a6eba7454f1b2dc
SHA1 hash: ad773b62def3d051047788134c73931c4c482cb5
MD5 hash: d472b952c44c26731d06aa1d965bfe29
humanhash: red-colorado-connecticut-mexico
File name:fgUBEUZ.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:664'576 bytes
First seen:2025-08-17 18:51:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f271714f36185009225a9b24c078e5b1 (1 x LummaStealer, 1 x Vidar, 1 x Amadey)
ssdeep 12288:WAppdyo7dMIc/L/V82id9Ms7zfYxh9o/z1lFPMizdv/mB8DDxRKSz2FLfM7:Fzq/3kfYxh9o/3FPMCmqDPKSz2Fg7
TLSH T1ECE41242F5D2C0B3F95310B21D74D799483EF6A24F249ED722E8B53ACA719E14732A27
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fgUBEUZ.exe
Verdict:
No threats detected
Analysis date:
2025-08-17 18:56:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf22e133-ff37-4972-98d3-5373ef18c701

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21867/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a224f28fd55a79c5288808
Tags:
malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin microsoft_visual_cc obfuscated odbcconf packed packed packer_detected
Link:
https://www.filescan.io/uploads/68a224bbabfbaec318244f1f/reports/d4990053-e121-4cee-9f51-2e818359076d/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/62dc0b6893936702f480e29d00e7f335324f06fa82ac75f6985ff6e3810cff28
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8d2d3b64-f2cb-418f-8c5b-3dca44b9085f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1758896
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/62dc0b6893936702f480e29d00e7f335324f06fa82ac75f6985ff6e3810cff28
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/d472b952c44c26731d06aa1d965bfe29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62dc0b6893936702f480e29d00e7f335324f06fa82ac75f6985ff6e3810cff28/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-17 12:59:40 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mloaw2etsntqf5ea4koqbz7tguze6bx2qkwhl5uyl73ohaim74ua._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250817-xhssxsxxgt/
Behaviour
Program crash
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b9da9790-bd0d-4f68-a210-55e100269f8d
Unpacked files
SH256 hash:
62dc0b6893936702f480e29d00e7f335324f06fa82ac75f6985ff6e3810cff28
MD5 hash:
d472b952c44c26731d06aa1d965bfe29
SHA1 hash:
ad773b62def3d051047788134c73931c4c482cb5
Link:
https://www.unpac.me/results/56dd7a4c-512c-4622-87c9-7128d67688f9/
SH256 hash:
0fee13e6e25b1f9e316be5c69ba6a7f8d0c191b5eb2972e9eb29a856fbba7f71
MD5 hash:
5875132c6de3d942347b092f03413cdc
SHA1 hash:
91db8f4255ca8d2a6f9270205aab159910ee2cf8
Link:
https://www.unpac.me/results/56dd7a4c-512c-4622-87c9-7128d67688f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62dc0b6893936702f480e29d00e7f335324f06fa82ac75f6985ff6e3810cff28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 62dc0b6893936702f480e29d00e7f335324f06fa82ac75f6985ff6e3810cff28

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3605101/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21867/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowW

Comments