MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d56f099ff02a11ccd233f8a9f5531d9a459fcbb2541551134fa9e435bfd177f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d56f099ff02a11ccd233f8a9f5531d9a459fcbb2541551134fa9e435bfd177f
SHA3-384 hash: c9204fbadee2d9816bf8315e4d8e625da1d2e02511369a95a96aedf4d02126f600e18f3a10ea741699a2f92b108e0310
SHA1 hash: 4cc9e9ae7770aac08968adb0287665dfea308c66
MD5 hash: 03081a42b3e5a2f67c20f907cf08b63c
humanhash: batman-lima-nevada-texas
File name:cloudflare.ps1
Download: download sample
Signature Vidar
Create hunting rule
File size:2'034 bytes
First seen:2026-04-01 05:42:25 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:mNuqUTa4aAyNqg1eLG7UuFW5K1PKI6GirLGirajdczR/eRM7:mNuqi9aX11eLG7Uz5wiXGyLGyayM2
TLSH T1814165D4AFCC10C564AF811AC7E0F76922072AB695EE8A4C0EC67A925582ADCB195847
Magika powershell
Reporter abuse_ch
Tags:ps1 vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
SE SE
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.PowerShell.DownLoader.2845.27018.25642.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ca85546363ca5d27efda61
Tags:
dridex xtreme shell sage
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/6d56f099ff02a11ccd233f8a9f5531d9a459fcbb2541551134fa9e435bfd177f
Verdict:
Malicious
File Type:
ps1
First seen:
2026-03-30T11:37:00Z UTC
Last seen:
2026-03-30T11:50:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/6d56f099ff02a11ccd233f8a9f5531d9a459fcbb2541551134fa9e435bfd177f/results?tab=lookup
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1891833
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Potentially malicious time measurement code found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Invoke-WebRequest Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1891833 Sample: cloudflare.ps1 Startdate: 01/04/2026 Architecture: WINDOWS Score: 100 60 mybiggestjoy.bond 2->60 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Antivirus detection for URL or domain 2->86 88 6 other signatures 2->88 10 powershell.exe 15 2->10         started        13 msedge.exe 66 596 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 92 Suspicious powershell command line found 10->92 94 Powershell drops PE file 10->94 18 powershell.exe 15 20 10->18         started        22 conhost.exe 10->22         started        72 192.168.2.8, 138, 443, 49681 unknown unknown 13->72 74 192.168.2.14 unknown unknown 13->74 78 5 other IPs or domains 13->78 24 msedge.exe 13->24         started        26 msedge.exe 13->26         started        28 msedge.exe 13->28         started        76 127.0.0.1 unknown unknown 16->76 signatures6 process7 dnsIp8 62 mybiggestjoy.bond 172.67.171.219, 443, 49682 CLOUDFLARENETUS United States 18->62 58 C:\Users\user\AppData\...\witpojxg.4nc.exe, PE32+ 18->58 dropped 30 witpojxg.4nc.exe 21 18->30         started        34 conhost.exe 18->34         started        64 a1666.dscr.akamai.net 23.219.2.14, 443, 49743, 49744 RAYA-ASEG United States 24->64 66 mr-z01.tm-azurefd.net 150.171.109.114, 443, 49742 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->66 68 33 other IPs or domains 24->68 file9 process10 dnsIp11 80 204.168.172.164, 443, 49683, 49686 CONXION-AUS United States 30->80 96 Multi AV Scanner detection for dropped file 30->96 98 Tries to harvest and steal browser information (history, passwords, etc) 30->98 100 Sets debug register (to hijack the execution of another thread) 30->100 102 10 other signatures 30->102 36 msedge.exe 2 12 30->36         started        39 msedge.exe 30->39         started        41 msedge.exe 30->41         started        43 3 other processes 30->43 signatures12 process13 signatures14 90 Monitors registry run keys for changes 36->90 45 msedge.exe 36->45         started        47 msedge.exe 39->47         started        49 msedge.exe 41->49         started        51 chrome.exe 43->51         started        54 WerFault.exe 2 43->54         started        56 msedge.exe 43->56         started        process15 dnsIp16 70 www.google.com 142.251.153.119, 443, 49717, 49722 GOOGLEUS United States 51->70
Score:
17%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/6d56f099ff02a11ccd233f8a9f5531d9a459fcbb2541551134fa9e435bfd177f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d56f099ff02a11ccd233f8a9f5531d9a459fcbb2541551134fa9e435bfd177f/
Verdict:
Malicious
Threat:
Family.VIDAR
Link:
https://tip.neiki.dev/file/6d56f099ff02a11ccd233f8a9f5531d9a459fcbb2541551134fa9e435bfd177f
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvlpbgp7akqrztjdh6fj6vjr3gsft7f3evavkeju7kpegw75c57q._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:2e0c5c587d7b8e8143b2e2b1abf14b99 collection discovery execution spyware stealer
Link:
https://tria.ge/reports/260401-gen3kaby2w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detects Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://204.168.172.164
https://telegram.me/p74kol
https://steamcommunity.com/profiles/76561198721902688
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d56f099ff02a11ccd233f8a9f5531d9a459fcbb2541551134fa9e435bfd177f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments