MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 23 File information Comments

SHA256 hash:	6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18
SHA3-384 hash:	0fe8d910b0e6b162f719a4af0f0dede409c918afa269d40f50ad7cc7a780abbf00c045e16a25e2a4b8095dd0105d6ad2
SHA1 hash:	9f3c2f18c4604a36ced0e86830f9122ac5d06f01
MD5 hash:	5dd5969b4554d5dfdb54de2e014bd127
humanhash:	bacon-princess-sad-beryllium
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	5'015'616 bytes
First seen:	2025-11-11 18:34:28 UTC
Last seen:	2025-11-11 20:21:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (92 x Rhadamanthys, 66 x Vidar, 41 x LummaStealer)
ssdeep	49152:DCJJvJZQijGPRhKxHMbxL4PX4A8kg4OiZrq1DfP+rsNADtV6v+L0uSwiPSCmDS+Z:DoUAxsbxEXU4OiZrq1DfPHNADtV6v+3V
TLSH	T12D369E677D980C69E89DA231C9E355567636BC483F3233E32D107A7A6E32BC00D35B69
TrID	37.3% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 vidar

Bitsight

url: http://178.16.54.200/files/8079848160/6P9FKnT.exe

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-11-11 18:35:33 UTC

Tags:

xor-url generic golang

Link:

https://app.any.run/tasks/f304dee6-692a-431e-be73-2235f517071d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/36960/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.61939613.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691381ecac1ae236e17985f0

Tags:

emotet cobalt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm expired-cert golang installer-heuristic invalid-signature packed signed

Link:

https://www.filescan.io/uploads/691381e8e20fe1d128157571/reports/474dfb15-b924-4e2d-b605-7ab223caeea1/overview

Verdict:

Suspicious

Labled as:

WinGo/Kryptik.MH trojan

Link:

https://www.hybrid-analysis.com/sample/6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-11T15:50:00Z UTC

Last seen:

2025-11-13T10:23:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan.Win64.Agent.smevtt Trojan.Win64.Agent.sb

Link:

https://opentip.kaspersky.com/6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/54df77ca-f1b9-4e9e-bc10-7d71c183f626

Score:

41%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/5dd5969b4554d5dfdb54de2e014bd127

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18

Threat name:

Win64.Spyware.Vidar

Status:

Malicious

First seen:

2025-11-11 18:35:23 UTC

File Type:

PE+ (Exe)

Extracted files:

822

AV detection:

15 of 23 (65.22%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqnzuylxchicuorrodcyax3ruodn5sg6dpthc7g2qf3j22vjpyma._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:bdbf7934a7bdcb8e1272e8015a5c3f63 stealer

Link:

https://tria.ge/reports/251111-w8gyns1lfz/

Behaviour

Detects Vidar Stealer

Vidar

Vidar family

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561198770591383

Verdict:

Malicious

Tags:

Stealc

YARA:

n/a

Link:

https://app.threat.zone/submission/ac7df461-d911-4954-8947-a143adb9c2f6

Unpacked files

SH256 hash:

6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18

MD5 hash:

5dd5969b4554d5dfdb54de2e014bd127

SHA1 hash:

9f3c2f18c4604a36ced0e86830f9122ac5d06f01

Link:

https://www.unpac.me/results/9905077c-1919-4bba-8dd2-973ce4159d4a/

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6c1b9a617711/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SharedStrings Create hunting rule
Author:	Katie Kleemola
Description:	Internal names found in LURK0/CCTV0 samples

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834