MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02
SHA3-384 hash: ab10e87d17d03b5376f3c6f71f4217137059f4c1b111a4092250baded82f74ce833cb0e5237ce7426402f929fdbc5d94
SHA1 hash: 20b670b52fbd9dc49f99cfb19a6a7391229e9d38
MD5 hash: 9e71224548ec0425d558e58408912a3f
humanhash: one-hydrogen-romeo-football
File name:photoshop-v2.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:10'277'943 bytes
First seen:2025-05-19 22:05:50 UTC
Last seen:2025-05-20 21:41:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (56 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep 196608:RS8gUZifUmcLqBb+W3sFthHVRLb3o4pm0cj8F:RyOKVcLq5+RFnLLo0s8F
Threatray 42 similar samples on MalwareBazaar
TLSH T15CA6D113F28E742ED06B3E396A7793A1983B7A5029124C57A7EC394C8F3D1845E2B357
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter aachum
Tags:exe vidar


Avatar
iamaachum
http://185.209.21.111/download/photoshop-v2.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
680
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ɢɪᴛнᴜʙ seᴛᴜр.bat
Verdict:
Malicious activity
Analysis date:
2025-05-19 22:00:29 UTC
Tags:
loader
Link:
https://app.any.run/tasks/381e439d-6fec-4c4d-a351-317f7df081b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.31500.18123.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682baaebc28c67d666421fa9
Tags:
obfuscated vmdetect backdoor dropper
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer invalid-signature overlay overlay packed signed
Link:
https://www.filescan.io/uploads/682bab5f15ed82cd53d8026e/reports/9ca768b2-26e5-4ba4-9778-ab3a0e022ecb/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6d2e1419-1e8e-4ad8-8232-37b98fa132e2
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1694380
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694380 Sample: photoshop-v2.exe Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 126 d3.7.4t.com 2->126 128 t.me 2->128 136 Suricata IDS alerts for network traffic 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 Multi AV Scanner detection for submitted file 2->140 142 6 other signatures 2->142 13 photoshop-v2.exe 2 2->13         started        signatures3 process4 file5 108 C:\Users\user\AppData\...\photoshop-v2.tmp, PE32 13->108 dropped 16 photoshop-v2.tmp 3 4 13->16         started        process6 file7 78 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->78 dropped 19 photoshop-v2.exe 2 16->19         started        process8 file9 80 C:\Users\user\AppData\...\photoshop-v2.tmp, PE32 19->80 dropped 22 photoshop-v2.tmp 5 37 19->22         started        process10 file11 82 C:\Users\user\...\mswebprjui.dll (copy), PE32 22->82 dropped 84 C:\Users\user\AppData\...\is-SOQLH.tmp, PE32+ 22->84 dropped 86 C:\Users\user\AppData\...\is-RAIKB.tmp, PE32+ 22->86 dropped 88 62 other files (54 malicious) 22->88 dropped 25 Vecinos.exe 33 22->25         started        process12 dnsIp13 132 d3.7.4t.com 49.13.1.124, 443, 49725, 49726 HETZNER-ASDE Germany 25->132 134 t.me 149.154.167.99, 443, 49724 TELEGRAMRU United Kingdom 25->134 144 Encrypted powershell cmdline option found 25->144 146 Tries to harvest and steal browser information (history, passwords, etc) 25->146 29 powershell.exe 22 25->29         started        33 powershell.exe 25->33         started        35 chrome.exe 25->35         started        38 27 other processes 25->38 signatures14 process15 dnsIp16 110 C:\Users\user\AppData\...\3nhns3wb.cmdline, Unicode 29->110 dropped 148 Writes to foreign memory regions 29->148 150 Compiles code for process injection (via .Net compiler) 29->150 152 Creates a thread in another existing process (thread injection) 29->152 40 csc.exe 3 29->40         started        43 conhost.exe 29->43         started        45 csc.exe 33->45         started        47 conhost.exe 33->47         started        130 192.168.2.4, 138, 443, 49448 unknown unknown 35->130 49 chrome.exe 35->49         started        112 C:\Users\user\AppData\Local\...\m4sj5fu1.0.cs, Unicode 38->112 dropped 52 csc.exe 38->52         started        54 csc.exe 38->54         started        56 csc.exe 38->56         started        58 24 other processes 38->58 file17 signatures18 process19 dnsIp20 90 C:\Users\user\AppData\Local\...\3nhns3wb.dll, PE32 40->90 dropped 60 cvtres.exe 40->60         started        92 C:\Users\user\AppData\Local\...\h4xq25ro.dll, PE32 45->92 dropped 62 cvtres.exe 45->62         started        114 apis.google.com 49->114 116 ogads-pa.clients6.google.com 142.250.68.10, 443, 49748, 49751 GOOGLEUS United States 49->116 124 3 other IPs or domains 49->124 94 C:\Users\user\AppData\Local\...\enf3cybp.dll, PE32 52->94 dropped 64 cvtres.exe 52->64         started        96 C:\Users\user\AppData\Local\...\fhefh2ji.dll, PE32 54->96 dropped 66 cvtres.exe 54->66         started        98 C:\Users\user\AppData\Local\...\hxjqidfq.dll, PE32 56->98 dropped 68 cvtres.exe 56->68         started        118 142.250.217.138, 443, 49764, 49765 GOOGLEUS United States 58->118 120 142.250.72.164, 443, 49759, 49762 GOOGLEUS United States 58->120 122 play.google.com 58->122 100 C:\Users\user\AppData\Local\...\wurj3t1f.dll, PE32 58->100 dropped 102 C:\Users\user\AppData\Local\...\ta5ajmhs.dll, PE32 58->102 dropped 104 C:\Users\user\AppData\Local\...\oedn1jg5.dll, PE32 58->104 dropped 106 7 other files (none is malicious) 58->106 dropped 70 cvtres.exe 58->70         started        72 cvtres.exe 58->72         started        74 cvtres.exe 58->74         started        76 7 other processes 58->76 file21 process22
Score:
37%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-05-19 05:15:53 UTC
File Type:
PE (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=niy4c636fgejvfdqtyj5456sojvnbd4io3asxhl7g2kfio3ur4ba._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
02b411c6eb9e58c278c153f83ffebbfea88aea0575ed8499da03b3bcf17601c7
Vidar
15919a58528476cc7bd02a5f4174b82e76ccfbd2291d1be4f7926add063355a0
Vidar
1c0dbb4434505d5eb0d2c42bad90015b1580a9dbd973c3b5e8c2c1dcd018a2d8
Vidar
2e275551ec59973546e2e02393f82524f98c3002604d90d4fdffd03312d4d48b
Vidar
7f5f79fcf71329877c23752694295d9a50b848eb56c5736c622672fe7d493a40
Vidar
a4b0f381813efd51a931c3ecd7f9d004ad416ae2b5df70d5278a73682ae2332e
Vidar
error
Vidar
+ 32 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar credential_access defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250519-1z76qazqx4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/06fb392a-08f0-4e70-be9d-2c9928d9316b
Unpacked files
SH256 hash:
6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02
MD5 hash:
9e71224548ec0425d558e58408912a3f
SHA1 hash:
20b670b52fbd9dc49f99cfb19a6a7391229e9d38
Link:
https://www.unpac.me/results/b0f90787-edac-43db-8721-35987441f9bc/
SH256 hash:
f4fe484a5bdd3155a34a2609ca989c2283bc78ecbf254d7a808f0d608e01b7b0
MD5 hash:
909ba3cdb24599dbdf7057a093e47e6c
SHA1 hash:
f4f4c436d0b49a019fe43c1e51ae57305bf5a666
Link:
https://www.unpac.me/results/b0f90787-edac-43db-8721-35987441f9bc/
SH256 hash:
51749523417f18b393a9c28b170118c31fae6534de2b636cb484770d061ba027
MD5 hash:
7ac8276bdeb0434046c1e87c2274617b
SHA1 hash:
7b84c6ed4ed766473b10a66be6a52416ae666141
Link:
https://www.unpac.me/results/b0f90787-edac-43db-8721-35987441f9bc/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6a31c17b7e29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Batch (bat) bat 25aacccb984253d31e2612f2081c0a5f27182474a29ffe6cb03d2386ee4ce8c6

Vidar

Executable exe 6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02

(this sample)

  
Link
https://tria.ge/250519-1w8m3sdr9z/behavioral1
  
Dropped by
SHA256 25aacccb984253d31e2612f2081c0a5f27182474a29ffe6cb03d2386ee4ce8c6
  
Delivery method
Distributed via web download
  
Dropped by
MD5 a836bb725b25ab5cd4805c8e1e94f66a
  
URLhaus
https://urlhaus.abuse.ch/url/3547851/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments