MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 714d7115584e06c36aefc21072564eccf0cb279abff6bbc2828ec34c1188e8c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 26 File information Comments

SHA256 hash:	714d7115584e06c36aefc21072564eccf0cb279abff6bbc2828ec34c1188e8c5
SHA3-384 hash:	87f1185b8a96447a3a3be50bae852f6df4491e8f81031793fd2490d70abe32efd7113725b83bc93371bd2d7da7a157a6
SHA1 hash:	ccc17ba42d4a085613d292f7b91adbfdd9e1162c
MD5 hash:	0a8bbfcda3dd19578874767817def0e2
humanhash:	minnesota-washington-queen-earth
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	8'340'104 bytes
First seen:	2025-11-21 16:43:44 UTC
Last seen:	2025-11-21 22:08:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (92 x Rhadamanthys, 71 x Vidar, 41 x LummaStealer)
ssdeep	49152:QxnXIoGUVVKNhSs+tLztfGjoRIMtFkReIM:Qow1fu
Threatray	141 similar samples on MalwareBazaar
TLSH	T11686F6123B4144ADD79AA238F8E3E128EE25784C133167D39F1FAB261F652D066F6713
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-gcleaner exe G signed vidar

Code Signing Certificate

Organisation:	changecoins.org
Issuer:	WE1
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-09-25T22:37:53Z
Valid to:	2025-12-24T23:34:17Z
Serial number:	840612f415ae0557114afaffa49c58d2
Intelligence:	6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	2c6b68f759d67e4e454b6fffac13319fe4b7a774bdac2b422b9b7711c890c41f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-11-21 16:45:28 UTC

Tags:

golang xor-url generic

Link:

https://app.any.run/tasks/2075da51-e121-44ce-9483-18dae63e7f3d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38957/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692096e98cf6736ec0b02037

Tags:

emotet cobalt

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Behavior that indicates a threat

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-vm golang infostealer signed

Link:

https://www.filescan.io/uploads/692096e3f96b58f0dc7f3d20/reports/128c3407-0911-4c05-a6f0-5f6159229737/overview

Verdict:

Malicious

Labled as:

WinGo/Kryptik.MK trojan

Link:

https://www.hybrid-analysis.com/sample/714d7115584e06c36aefc21072564eccf0cb279abff6bbc2828ec34c1188e8c5

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-21T14:12:00Z UTC

Last seen:

2025-11-22T14:03:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Agent.smexii Trojan.Win64.Agent.sb

Link:

https://opentip.kaspersky.com/714d7115584e06c36aefc21072564eccf0cb279abff6bbc2828ec34c1188e8c5/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2907fbf7-707e-4455-9f2f-1210c74c551f

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/714d7115584e06c36aefc21072564eccf0cb279abff6bbc2828ec34c1188e8c5

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/714d7115584e06c36aefc21072564eccf0cb279abff6bbc2828ec34c1188e8c5/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/714d7115584e06c36aefc21072564eccf0cb279abff6bbc2828ec34c1188e8c5

Threat name:

Win64.Trojan.PurelogStealer

Status:

Malicious

First seen:

2025-11-21 16:56:14 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ofgxcfkyjydmg2xpyiihevsoztymwj42x73lxqucr3buyemi5dcq._file

Verdict:

malicious

Label(s):

vidar

Vidar

2d87241730f4bf1a6c4b6746ce2dcad3448e89e85d2eb54d5e86cb263d609a45

Vidar

4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2

Vidar

5d86360b356b9222bcb42b45cd16245433230b6d9bb9b98c206fbd1a9e846732

Vidar

9433f6153e90586166912e1739a56d2aac7d470903f43f509120f97825c2d856

Vidar

bc1b0f943f66fcc1e903ec4d742185a22a0260807d057a6da43c2ef4d09bd32f

Vidar

da9551fc5564a6958b3aa72edc88b71d00d12ddc5cdb9f6038c07512bd56e502

Vidar

error

Vidar

+ 131 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:hijackloader family:vidar botnet:e07af77888213c648e6c464e9d9b7847 discovery spyware stealer

Link:

https://tria.ge/reports/251121-t8zglsdl3y/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Drops file in Windows directory

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detects Vidar Stealer

Vidar

Vidar family

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561198767911792

Verdict:

Malicious

Tags:

Stealc

YARA:

n/a

Link:

https://app.threat.zone/submission/01eb5487-46ac-4c5f-8a90-0a0ff99306b0

Unpacked files

SH256 hash:

714d7115584e06c36aefc21072564eccf0cb279abff6bbc2828ec34c1188e8c5

MD5 hash:

0a8bbfcda3dd19578874767817def0e2

SHA1 hash:

ccc17ba42d4a085613d292f7b91adbfdd9e1162c

Link:

https://www.unpac.me/results/d4929ea9-f7f5-4aa6-8d80-06475a9c8eb5/

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/714d7115584e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.29

Link:

https://yomi.yoroi.company/submissions/714d7115584e06c36aefc21072564eccf0cb279abff6bbc2828ec34c1188e8c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

Gcleaner

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/38957/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample