MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6736fc5910c521c3b94093d44f0b8774b32c579a354fd2d850bd686766b0b696. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6736fc5910c521c3b94093d44f0b8774b32c579a354fd2d850bd686766b0b696
SHA3-384 hash: 41a44f80c9fa552357e0cb9ad353da541a42bc371c22960bacefe7cea89a082abe2e553c1f9ac53ac433dee21c06ab4a
SHA1 hash: 9151fbe3c9afaf82a5f0e842c0d8d7b11454ac17
MD5 hash: 19f7ffacb30894b7adf9414150b1c723
humanhash: seventeen-arkansas-carpet-berlin
File name:v7942.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:749'056 bytes
First seen:2025-04-04 08:40:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a0b72f709ebc465cfce6b6cf21367efe (33 x LummaStealer, 6 x Vidar, 2 x Rhadamanthys)
ssdeep 12288:+yr74wbgY1rvcL3dG2G+B6mFYyyIawxhsC7kD2ckWRoVQYRY9VZ3eA0Ydsc70Qht:frU+vQH90mFVjX73dWXdIeT73hwA
TLSH T1E3F4CF18A52591DEECD340716B65A231B423BD378F385EEB01E4D7651A0AEED0F3E326
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/518/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ef9d7e855e5ec5240ddb66
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67ef9b2eb070fb3f945eb25f/reports/3d4be079-92f3-4a0b-ade3-b25227597cae/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/6736fc5910c521c3b94093d44f0b8774b32c579a354fd2d850bd686766b0b696
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/56caa25c-c591-469a-a9d8-4660257bad6e
Result
Threat name:
PureCrypter, LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1656509
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Creates / moves files in alternative data streams (ADS)
Detected PureCrypter Trojan
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1656509 Sample: v7942.exe Startdate: 04/04/2025 Architecture: WINDOWS Score: 100 105 itsrevolutionmagnus.xyz 2->105 107 qq.ap.4t.com 2->107 109 7 other IPs or domains 2->109 145 Suricata IDS alerts for network traffic 2->145 147 Found malware configuration 2->147 149 Malicious sample detected (through community Yara rule) 2->149 153 11 other signatures 2->153 10 v7942.exe 2->10         started        13 EMDVySHNoBzmnWAU.exe 2->13         started        16 EMDVySHNoBzmnWAU.exe 2->16         started        18 2 other processes 2->18 signatures3 151 Performs DNS queries to domains with low reputation 105->151 process4 dnsIp5 185 Writes to foreign memory regions 10->185 187 Allocates memory in foreign processes 10->187 189 Injects a PE file into a foreign processes 10->189 21 MSBuild.exe 35 10->21         started        87 C:\Users\user\...\blrkoiycfPTOTX7q.exe, PE32 13->87 dropped 26 blrkoiycfPTOTX7q.exe 13->26         started        89 C:\Users\user\...\DBeKPQN1rtwRLbrT.exe, PE32 16->89 dropped 28 DBeKPQN1rtwRLbrT.exe 16->28         started        111 192.168.2.13 unknown unknown 18->111 113 239.255.255.250 unknown Reserved 18->113 91 C:\Users\user\...\9Hb432nHdY2XWTox.exe, PE32 18->91 dropped 30 9Hb432nHdY2XWTox.exe 18->30         started        32 msedge.exe 18->32         started        34 msedge.exe 18->34         started        36 3 other processes 18->36 file6 signatures7 process8 dnsIp9 115 qq.ap.4t.com 78.47.105.59, 443, 49719, 49720 HETZNER-ASDE Germany 21->115 117 t.me 149.154.167.99, 443, 49718 TELEGRAMRU United Kingdom 21->117 123 2 other IPs or domains 21->123 71 C:\Users\user\AppData\Local\...\l9543[1].exe, PE32+ 21->71 dropped 73 C:\Users\user\AppData\Local\...\s9471[1].exe, PE32+ 21->73 dropped 75 C:\Users\user\AppData\...\sss81242[1].exe, PE32 21->75 dropped 79 3 other malicious files 21->79 dropped 175 Attempt to bypass Chrome Application-Bound Encryption 21->175 177 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->177 179 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->179 183 6 other signatures 21->183 38 zmy5ppzukx.exe 21->38         started        41 vsj5xtj5xb.exe 21->41         started        43 glxb1vk6fc.exe 21->43         started        46 3 other processes 21->46 181 Multi AV Scanner detection for dropped file 26->181 119 ax-0003.ax-msedge.net 150.171.28.12, 443, 49803 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->119 121 20.110.205.119, 443, 49808, 49839 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->121 125 29 other IPs or domains 32->125 77 C:\Users\user\AppData\Local\...\Cookies, SQLite 32->77 dropped file10 signatures11 process12 dnsIp13 157 Hijacks the control flow in another process 38->157 159 Modifies the context of a thread in another process (thread injection) 38->159 161 Injects a PE file into a foreign processes 38->161 49 zmy5ppzukx.exe 38->49         started        163 Multi AV Scanner detection for dropped file 41->163 165 Writes to foreign memory regions 41->165 167 Allocates memory in foreign processes 41->167 53 MSBuild.exe 41->53         started        83 C:\Users\user\...MDVySHNoBzmnWAU.exe, PE32 43->83 dropped 85 :cat (copy), PE32 43->85 dropped 169 Antivirus detection for dropped file 43->169 171 Creates / moves files in alternative data streams (ADS) 43->171 55 EMDVySHNoBzmnWAU.exe 43->55         started        127 192.168.2.5, 443, 49689, 49692 unknown unknown 46->127 173 Monitors registry run keys for changes 46->173 58 chrome.exe 46->58         started        60 msedge.exe 46->60         started        62 chrome.exe 46->62         started        64 2 other processes 46->64 file14 signatures15 process16 dnsIp17 93 77.90.153.241, 49875, 80 RAPIDNET-DEHaunstetterStr19DE Germany 49->93 129 Early bird code injection technique detected 49->129 131 Found many strings related to Crypto-Wallets (likely being stolen) 49->131 133 Tries to harvest and steal browser information (history, passwords, etc) 49->133 143 5 other signatures 49->143 66 chrome.exe 49->66         started        95 advennture.top 172.67.221.138, 443, 49867, 49868 CLOUDFLARENETUS United States 53->95 135 Query firmware table information (likely to detect VMs) 53->135 137 Tries to harvest and steal ftp login credentials 53->137 139 Tries to steal Crypto Currency Wallets 53->139 97 77.90.153.245 RAPIDNET-DEHaunstetterStr19DE Germany 55->97 81 C:\Users\user\...\pjo7bocFR6qJnuoQ.exe, PE32 55->81 dropped 141 Multi AV Scanner detection for dropped file 55->141 68 pjo7bocFR6qJnuoQ.exe 55->68         started        99 ogads-pa.clients6.google.com 142.250.64.74, 443, 49751, 49753 GOOGLEUS United States 58->99 101 plus.l.google.com 142.250.65.174, 443, 49752 GOOGLEUS United States 58->101 103 3 other IPs or domains 58->103 file18 signatures19 process20 signatures21 155 Multi AV Scanner detection for dropped file 68->155
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6736fc5910c521c3b94093d44f0b8774b32c579a354fd2d850bd686766b0b696
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6736fc5910c521c3b94093d44f0b8774b32c579a354fd2d850bd686766b0b696/
Threat name:
Win64.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-04-04 01:12:18 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m43pywiqyuq4hokaspke6c4hoszsyv42gvh5fwcqxvugozvqw2la._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:vidar botnet:f942dabea5a58a141236ae72e4720fbf credential_access discovery persistence spyware stealer
Link:
https://tria.ge/reports/250404-klpjfswjz8/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/f07nd
https://steamcommunity.com/profiles/76561199843252735
https://advennture.top/GKsiio
https://jrxsafer.top/shpaoz
https://krxspint.digital/kendwz
https://rhxhube.run/pogrs
https://grxeasyw.digital/xxepw
https://targett.top/dsANGt
https://xrfxcaseq.live/gspaz
https://-ywmedici.top/noagis
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/d23527b0-97f2-4829-9511-e1b1fc21c262
Unpacked files
SH256 hash:
6736fc5910c521c3b94093d44f0b8774b32c579a354fd2d850bd686766b0b696
MD5 hash:
19f7ffacb30894b7adf9414150b1c723
SHA1 hash:
9151fbe3c9afaf82a5f0e842c0d8d7b11454ac17
Link:
https://www.unpac.me/results/5bd46a39-f6f7-458d-82e6-643209ac421c/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6736fc5910c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6736fc5910c521c3b94093d44f0b8774b32c579a354fd2d850bd686766b0b696

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 6736fc5910c521c3b94093d44f0b8774b32c579a354fd2d850bd686766b0b696

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3478380/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/518/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolWork
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments