MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee
SHA3-384 hash: d53f3c7c6ca3fe2559d6dd1837c07cd02ccd4ac35eddf0bf7c4023153ed971e57abe2710e6593aa4aa7d42c5fa2729fc
SHA1 hash: 4a3b93f199dd4c63009148817326c5b4bdcfd9a5
MD5 hash: 9f23884ac4706943480126132947eff2
humanhash: river-pasta-eleven-fruit
File name:CornflowerBlue1.dat
Download: download sample
Signature Vidar
Create hunting rule
File size:1'723'904 bytes
First seen:2025-12-23 17:42:17 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c37e77d466a62b13f872fa8f274453f0 (1 x Vidar)
ssdeep 24576:vuhTw+ipdgNouHEUsRktcw++17XnyqNCnxV8bpQhOT4R0rhcRdiz70T6aS:o+fg2mzTtcS7XnsvV7Rg6Piz70T6aS
TLSH T1B3850123B642E0BED49F02B1A01DD73C5EBBA91417518DEB03D45DB88DB8BD15A3872E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:178-22-24-175 dll QuasarRAT VenomRAT vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45913/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694ad4b601c7b4a8fe552527
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd krypt lolbin masquerade packed rust
Link:
https://www.filescan.io/uploads/694ad4b33f8fdbf8e9503f70/reports/efde47d1-117e-482a-a389-1bf070783493/overview
Verdict:
Malicious
Labled as:
GenKryptik_AGeneric.BKZ trojan
Link:
https://www.hybrid-analysis.com/sample/7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Clean
File Type:
dll x32
First seen:
2025-10-16T08:00:00Z UTC
Last seen:
2025-11-16T23:36:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/140883fe-f023-4f74-825d-070dd9d18951
Result
Threat name:
KeyLogger, Quasar, StormKitty, VenomRAT,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838364
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Yara detected BrowserPasswordDump
Yara detected Keylogger Generic
Yara detected Quasar RAT
Yara detected StormKitty Stealer
Yara detected VenomRAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838364 Sample: CornflowerBlue1.dat.dll Startdate: 23/12/2025 Architecture: WINDOWS Score: 100 117 pastebin.com 2->117 119 telegram.me 2->119 121 4 other IPs or domains 2->121 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 143 14 other signatures 2->143 15 loaddll32.exe 1 2->15         started        18 eServiceHost.exe 2->18         started        20 unsecapp.exe 2->20         started        22 3 other processes 2->22 signatures3 141 Connects to a pastebin service (likely for C&C) 117->141 process4 signatures5 171 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->171 24 regsvr32.exe 16 6 15->24         started        29 cmd.exe 1 15->29         started        31 rundll32.exe 15->31         started        33 3 other processes 15->33 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->173 process6 dnsIp7 131 178.22.24.175, 4449, 49710 CLEVERNETWORK-ASNFR Switzerland 24->131 133 pastebin.com 104.20.29.150, 443, 49709 CLOUDFLARENETUS United States 24->133 107 C:\...\Cross-platform_25.49.22_INSTALL.exe, PE32 24->107 dropped 109 C:\Users\user\...\Adaptive_96.3.0_INSTALL.exe, PE32 24->109 dropped 159 System process connects to network (likely due to code injection or exploit) 24->159 161 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->161 163 Found many strings related to Crypto-Wallets (likely being stolen) 24->163 169 2 other signatures 24->169 35 cmd.exe 1 24->35         started        38 cmd.exe 24->38         started        165 Suspicious powershell command line found 29->165 167 Bypasses PowerShell execution policy 29->167 40 rundll32.exe 29->40         started        file8 signatures9 process10 signatures11 145 Suspicious powershell command line found 35->145 42 powershell.exe 12 35->42         started        44 conhost.exe 35->44         started        46 powershell.exe 38->46         started        48 conhost.exe 38->48         started        process12 process13 50 Cross-platform_25.49.22_INSTALL.exe 2 42->50         started        53 Adaptive_96.3.0_INSTALL.exe 46->53         started        file14 95 C:\...\Cross-platform_25.49.22_INSTALL.tmp, PE32 50->95 dropped 55 Cross-platform_25.49.22_INSTALL.tmp 3 5 50->55         started        97 C:\Users\user\...\Adaptive_96.3.0_INSTALL.tmp, PE32 53->97 dropped 58 Adaptive_96.3.0_INSTALL.tmp 53->58         started        process15 file16 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->99 dropped 101 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 55->101 dropped 60 Cross-platform_25.49.22_INSTALL.exe 55->60         started        103 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->103 dropped 105 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 58->105 dropped 63 Adaptive_96.3.0_INSTALL.exe 58->63         started        process17 file18 111 C:\...\Cross-platform_25.49.22_INSTALL.tmp, PE32 60->111 dropped 65 Cross-platform_25.49.22_INSTALL.tmp 60->65         started        113 C:\Users\user\...\Adaptive_96.3.0_INSTALL.tmp, PE32 63->113 dropped 68 Adaptive_96.3.0_INSTALL.tmp 63->68         started        process19 file20 79 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 65->79 dropped 81 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 65->81 dropped 83 C:\ProgramData\...\vcruntime140.dll (copy), PE32 65->83 dropped 91 9 other malicious files 65->91 dropped 70 eServiceHost.exe 65->70         started        85 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 68->85 dropped 87 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 68->87 dropped 89 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 68->89 dropped 93 11 other malicious files 68->93 dropped 74 FnHotkeyUtility.exe 68->74         started        process21 dnsIp22 123 ipwho.is 15.204.213.5 HP-INTERNET-ASUS United States 70->123 147 Hides that the sample has been downloaded from the Internet (zone.identifier) 70->147 149 Installs a global keyboard hook 70->149 151 Unusual module load detection (module proxying) 70->151 76 Adaptive_96.3.0_INSTALL.exe 70->76         started        125 telegram.me 149.154.167.99 TELEGRAMRU United Kingdom 74->125 127 gdcrl.godaddy.com.akadns.net 192.124.249.36 SUCURI-SECUS United States 74->127 129 steamcommunity.com 184.30.122.179 AKAMAI-ASUS United States 74->129 153 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 74->153 155 Tries to detect virtualization through RDTSC time measurements 74->155 157 Found direct / indirect Syscall (likely to bypass EDR) 74->157 signatures23 process24 file25 115 C:\Users\user\...\Adaptive_96.3.0_INSTALL.tmp, PE32 76->115 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/9f23884ac4706943480126132947eff2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-10-16 12:05:00 UTC
File Type:
PE (Dll)
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pj4fnli7xvyjfvcqhnnc3k7nenttdmfw3pctssuw4pcrec2qi3xa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/251225-nybpxatner/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee
MD5 hash:
9f23884ac4706943480126132947eff2
SHA1 hash:
4a3b93f199dd4c63009148817326c5b4bdcfd9a5
Link:
https://www.unpac.me/results/1eefcd92-7bfb-4c37-94bc-11cc5642b872/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

DLL dll 7a7856ad1fbd7092d4503b5a2dabed236731b0b6dbc5394a96e3c5120b5046ee

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45913/

Comments