MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79dfd95a5e2b99b5ecb6e081ade8271cb39ccfc3e5aafc142f16df9f053ca6b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	79dfd95a5e2b99b5ecb6e081ade8271cb39ccfc3e5aafc142f16df9f053ca6b4
SHA3-384 hash:	60370efc2dc5b745c54289631af500bb2e06da64052030842f5a974a31f0afca4c45dc5394f7d68cc67057d87f03909c
SHA1 hash:	a36ce51976fc28f7fd9f580037bd26757f8c63c0
MD5 hash:	4947784bb72d40755ad1b63d5cfc91c0
humanhash:	london-finch-mars-gee
File name:	[0]~
Download:	download sample
Signature	Vidar Create hunting rule
File size:	2'711'552 bytes
First seen:	2025-02-14 05:29:57 UTC
Last seen:	2025-02-14 07:10:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1ce8f27fa6a4c76ae900e1f5583c7d14 (1 x Vidar)
ssdeep	24576:MJA7Nc/iOEGmJvXh5yF105HOrE/Ev/t/9YsrBp2riG3/oGo1X3OrlUHyCKpRbGU:M+OE9JXLyFeIAEv/t/9YsDeis/88aHU
TLSH	T1E4C5C011BBE38090D7590A3009B6BB78177E7CA61F359E8B2154FE5EAD361D1BC36322
TrID	39.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 29.6% (.EXE) InstallShield setup (43053/19/16) 11.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 7.2% (.EXE) Win64 Executable (generic) (10522/11/4) 3.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
File icon (PE):
dhash icon	30f6aae8a8aaf630 (3 x Vidar)
Reporter	abuse_ch
Tags:	de-pumped exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

492

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

[0]~

Verdict:

No threats detected

Analysis date:

2025-02-14 05:40:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e19b9339-5677-48fc-b6e4-39cdb321d127

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.31067.29542.UNOFFICIAL

Verdict:

Clean

Score:

84.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67aed4eb28ab76d43a5ae077

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm evasive explorer lolbin microsoft_visual_cc obfuscated rundll32

Link:

https://www.filescan.io/uploads/67aed4ea991985e0a958b3d1/reports/edde0175-51c1-4119-9b91-d0a3d622d132/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/79dfd95a5e2b99b5ecb6e081ade8271cb39ccfc3e5aafc142f16df9f053ca6b4

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/34a09040-bb21-48eb-88c0-f8df031a4246

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1614814

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

11%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/79dfd95a5e2b99b5ecb6e081ade8271cb39ccfc3e5aafc142f16df9f053ca6b4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/79dfd95a5e2b99b5ecb6e081ade8271cb39ccfc3e5aafc142f16df9f053ca6b4/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=php5sws6fom3l3fw4ca232bhdszzzt6d4wvpyfbpc3pz6bj4u22a._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/250214-f69mxatndl/

Behaviour

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Downloads MZ/PE file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/716f9491-1c50-42a8-a7fb-358a1b86edb8

Unpacked files

SH256 hash:

79dfd95a5e2b99b5ecb6e081ade8271cb39ccfc3e5aafc142f16df9f053ca6b4

MD5 hash:

4947784bb72d40755ad1b63d5cfc91c0

SHA1 hash:

a36ce51976fc28f7fd9f580037bd26757f8c63c0

Link:

https://www.unpac.me/results/cd84b74a-5217-4ca8-8efe-4192a9aa01ec/

SH256 hash:

21ae3a999690b2841362e57cee8bce5dea75daff70434fc105210b592cf515d1

MD5 hash:

0c76ea90fc6916e445101dd459ea2da5

SHA1 hash:

583d8831160607458c7a3074931a7e0cc06649bb

Link:

https://www.unpac.me/results/cd84b74a-5217-4ca8-8efe-4192a9aa01ec/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/79dfd95a5e2b99b5ecb6e081ade8271cb39ccfc3e5aafc142f16df9f053ca6b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)