MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66e47e0816d04089c407ca871feed51aea3ba92ac9446a7f6def70efd8416177. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 5

Intelligence 5 IOCs YARA 46 File information Comments

SHA256 hash:	66e47e0816d04089c407ca871feed51aea3ba92ac9446a7f6def70efd8416177
SHA3-384 hash:	8ab21dbcb1f0f152c31a49fcf7d8e515528ec09a40f4967440db647d3c9b021f6c4ee9d438d7ebca4095ebd85242f65f
SHA1 hash:	c1d2a78393b834e54312636f4f4a9f17ff4ad7f1
MD5 hash:	c13c88f03139d0f9aeab85263af1851f
humanhash:	xray-pizza-skylark-montana
File name:	Kiddions_v2.zip
Download:	download sample
Signature	Vidar Create hunting rule
File size:	2'654'206 bytes
First seen:	2026-03-08 15:02:06 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
Note:	This file is a password protected archive. The password is: 2026
ssdeep	49152:1awOgkIKZAQE4CeqL3/jI3j042vu45oJcGQ19vifwjVTbF5p9xSEKsd:1ZHf4sjUj042msoJ0vifI/19KO
TLSH	T1C5C53383512F15DE22D1FF299C54E6B9303C2A5D726C4079F1A168F702A02AA7F2D7E7
Magika	zip
Reporter	burger
Tags:	pw-2026 vidar zip

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

File Archive Information

This file is a password protected archive. The password is: 2026

This file archive contains 9 file(s), sorted by their relevance:

File name:	Kiddions Mod.exe
File size:	110'712 bytes
SHA256 hash:	2803b74d5466845e4dc9063bd516f3679aa2a3f70a30d9e93976c212e87f6e87
MD5 hash:	8ce68a756995deb55746dee1525edec3
MIME type:	application/x-dosexec
Signature	Vidar

File name:	gobject-2.0.dll
File size:	300'664 bytes
SHA256 hash:	2c76ddda266dbada9597eec8d7559b0669c25f2037344c19b4807e4d61b6dcfe
MD5 hash:	103bf98f16d5dda06336b3f0f10bb979
MIME type:	application/x-dosexec
Signature	Vidar

File name:	pcre.dll
File size:	411'768 bytes
SHA256 hash:	67332a8c1fa3a2bb449aea74cbcff3c64754fafb09c273ae51bafac91deac340
MD5 hash:	caa517b0b14ff77ba93fd1cd7d8d7d2a
MIME type:	application/x-dosexec
Signature	Vidar

File name:	gmodule-2.0.dll
File size:	29'968 bytes
SHA256 hash:	ed105b46d3a374db93cc79ce058e897b63dfce9bcc3a27d93ab8f254baeae58a
MD5 hash:	a45eea5bcdd017b9c4535f5c7daaf2df
MIME type:	application/x-dosexec
Signature	Vidar

File name:	glib-2.0.dll
File size:	1'231'992 bytes
SHA256 hash:	29f281e0e9ebc9cc7b54af08535509feac1930a60d3d2e2fe9528f77711f04a8
MD5 hash:	74801ead5a1402af905efa4ca76fd181
MIME type:	application/x-dosexec
Signature	Vidar

File name:	vmtools.dll
File size:	888'592 bytes
SHA256 hash:	dbee15d75e4bfc40a0091878009dedf0cca795f224554c91ad776710eb3a76a9
MD5 hash:	7cf6a1b39eab16a9954386d05e296e62
MIME type:	application/x-dosexec
Signature	Vidar

File name:	VCRUNTIME140.dll
File size:	85'784 bytes
SHA256 hash:	2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
MD5 hash:	1453290db80241683288f33e6dd5e80e
MIME type:	application/x-dosexec
Signature	Vidar

File name:	VCRUNTIME140_1.dll
File size:	49'792 bytes
SHA256 hash:	1f2d41c4aa5db0bc33ebf7b66d72943a817d7ce6cbe880502a9403823633093f
MD5 hash:	cd1b08f4930b276ad78853580b76b5c6
MIME type:	application/x-dosexec
Signature	Vidar

File name:	intl.dll
File size:	2'573'408 bytes
SHA256 hash:	e98bad4e121ff1b0705f2f7140bfeebb3bc826cb01abdb8cae199df7a575fa1b
MD5 hash:	bf0633684a0df1b983d1db376a737854
MIME type:	application/x-dosexec
Signature	Vidar

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4862487f-0c9f-4b83-b10e-45668cd3b65e/

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ad8f86e41a5a099930fc39

Tags:

n/a

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/66e47e0816d04089c407ca871feed51aea3ba92ac9446a7f6def70efd8416177

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/66e47e0816d04089c407ca871feed51aea3ba92ac9446a7f6def70efd8416177

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Clean

File Type:

zip

Link:

https://opentip.kaspersky.com/66e47e0816d04089c407ca871feed51aea3ba92ac9446a7f6def70efd8416177/results?tab=lookup

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Zip Archive

Link:

https://app.malva.re/file/c13c88f03139d0f9aeab85263af1851f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66e47e0816d04089c407ca871feed51aea3ba92ac9446a7f6def70efd8416177/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m3sh4caw2baitrahzkdr73wvdlvdxkjkzfcgu73n55yo7wcbmf3q._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar stealer

Link:

https://tria.ge/reports/260308-t3rjtafv9t/

Behaviour

Detects Vidar Stealer

Vidar

Vidar family

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Any_SU_Domain Create hunting rule
Author:	you
Description:	Detect any reference to .su domains or subdomains

Rule name:	Check_Debugger Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Golang_Binary Create hunting rule
Author:	Andrew Morrow
Description:	Detects binaries compiled with Go

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	goLangMatch3 Create hunting rule

Rule name:	goLangMatch4 Create hunting rule

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Vidar

zip 66e47e0816d04089c407ca871feed51aea3ba92ac9446a7f6def70efd8416177

(this sample)

Vidar

exe e98bad4e121ff1b0705f2f7140bfeebb3bc826cb01abdb8cae199df7a575fa1b

Dropping

SHA256 e98bad4e121ff1b0705f2f7140bfeebb3bc826cb01abdb8cae199df7a575fa1b

Dropping

MD5 bf0633684a0df1b983d1db376a737854

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample