MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b16ec86306d55b3dcdfb7897bb9dcc059b8fa2cd9ebfc31b801838f2652f81e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b16ec86306d55b3dcdfb7897bb9dcc059b8fa2cd9ebfc31b801838f2652f81e
SHA3-384 hash: 84279286adf137ab9b038dc3685144c4c4cc29413c23849e9c1bf1a1af88a4eebc8f4054a27d6db52eef118487cb93f4
SHA1 hash: 867e6e4e62e6a48b29439da2b1299f650e2769ec
MD5 hash: caccc2e6232c63bdd21bfaf65eff6c78
humanhash: romeo-twenty-six-coffee
File name:Package.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:76'655'964 bytes
First seen:2026-06-13 15:05:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (587 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer)
ssdeep 1572864:PL2um44HiFzg1nNHG3cv4JW4/KMYAMvJmiftzjPzcsZM2AWUQriXyc:PLTm4vC9NYJo+sUifljLcs22/G
TLSH T131F7338A7E22F03FF413D473E11856E9625AF184D7338FA6113E91DEF8E2A116B441A7
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 70c8b0b272e2f0f1 (1 x Vidar)
Reporter aachum
Tags:donutloader exe vidar


Avatar
iamaachum
https://github.com/MeshProduction/Photoshop-2026 => https://telegra.ph/Download-06-03-19 => https://github.com/Guardtrotier/scaling-octo-goggles/releases/download/Package/Project-main.zip

Vidar C2:
https://telegram.me/d77xtr
https://ggt.glamisrent.com/
Other IOCs:
http://185.107.74.84:3000/send

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
ES ES
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/c769866c-34a6-4559-ae4e-1a90d100d39b/
Malware family:
n/a
ID:
1
File name:
Package.exe
Verdict:
Malicious activity
Analysis date:
2026-06-13 15:08:18 UTC
Tags:
evasion ip-check
Link:
https://app.any.run/tasks/6e9e4de9-fc75-41d8-826f-c387e675e9cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2d723ba15110463ee54e67
Tags:
obfuscate shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Forced system process termination
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Launching the process to interact with network services
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto evasive fingerprint installer installer installer-heuristic microsoft_visual_cc nsis packed reconnaissance
Link:
https://www.filescan.io/uploads/6a2d71f8bf16337e43c56a55/reports/1ba7dd6c-de95-4e28-a134-d17f637d4500/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7b16ec86306d55b3dcdfb7897bb9dcc059b8fa2cd9ebfc31b801838f2652f81e
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-11T23:53:00Z UTC
Last seen:
2026-06-13T01:55:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/7b16ec86306d55b3dcdfb7897bb9dcc059b8fa2cd9ebfc31b801838f2652f81e/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1927608
Signature
Bypasses PowerShell execution policy
Drops large PE files
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Uses WMIC command to query system information (often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1927608 Sample: Package.exe Startdate: 13/06/2026 Architecture: WINDOWS Score: 84 115 ipinfo.io 2->115 117 ifconfig.me 2->117 119 4 other IPs or domains 2->119 127 Uses known network protocols on non-standard ports 2->127 129 Unusual module load detection (module proxying) 2->129 131 Uses WMIC command to query system information (often done to detect virtual machines) 2->131 133 3 other signatures 2->133 13 Github Inc.exe 4 2->13         started        16 Package.exe 12 193 2->16         started        signatures3 process4 file5 147 Uses WMIC command to query system information (often done to detect virtual machines) 13->147 19 cmd.exe 13->19         started        22 cmd.exe 1 13->22         started        24 cmd.exe 1 13->24         started        26 19 other processes 13->26 101 C:\Users\user\AppData\...behaviorgraphithub Inc.exe, PE32+ 16->101 dropped 103 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 16->103 dropped 105 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 16->105 dropped 107 13 other files (none is malicious) 16->107 dropped 149 Drops large PE files 16->149 signatures6 process7 signatures8 135 Encrypted powershell cmdline option found 19->135 28 powershell.exe 19->28         started        30 conhost.exe 19->30         started        137 Uses cmd line tools excessively to alter registry or file data 22->137 139 Bypasses PowerShell execution policy 22->139 141 Uses WMIC command to query system information (often done to detect virtual machines) 22->141 43 2 other processes 22->43 32 WMIC.exe 1 24->32         started        35 conhost.exe 24->35         started        37 net.exe 26->37         started        39 WMIC.exe 26->39         started        41 conhost.exe 26->41         started        45 25 other processes 26->45 process9 dnsIp10 48 cmd.exe 28->48         started        123 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->123 50 net1.exe 37->50         started        52 Conhost.exe 37->52         started        54 Conhost.exe 39->54         started        56 Conhost.exe 41->56         started        121 169.254.169.254 USDOS-USDepartmentofStateUS ZZ 45->121 58 net1.exe 45->58         started        60 net1.exe 45->60         started        62 Conhost.exe 45->62         started        signatures11 process12 process13 64 Github Inc.exe 48->64         started        68 conhost.exe 48->68         started        dnsIp14 109 185.107.74.84, 3000, 49702, 49711 NEONCORENETWORKSUS Sweden 64->109 111 ifconfig.me 34.160.111.145, 443, 49704, 49716 GOOGLE-CLOUD-PLATFORM-GoogleLLCUS United States 64->111 113 4 other IPs or domains 64->113 125 Uses WMIC command to query system information (often done to detect virtual machines) 64->125 70 cmd.exe 64->70         started        73 cmd.exe 64->73         started        75 cmd.exe 64->75         started        77 3 other processes 64->77 signatures15 process16 signatures17 143 Uses cmd line tools excessively to alter registry or file data 70->143 79 conhost.exe 70->79         started        93 2 other processes 70->93 145 Uses WMIC command to query system information (often done to detect virtual machines) 73->145 81 WMIC.exe 73->81         started        83 conhost.exe 73->83         started        85 WMIC.exe 75->85         started        87 conhost.exe 75->87         started        89 conhost.exe 77->89         started        91 reg.exe 77->91         started        95 2 other processes 77->95 process18 process19 97 Conhost.exe 81->97         started        99 Conhost.exe 85->99         started       
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/7b16ec86306d55b3dcdfb7897bb9dcc059b8fa2cd9ebfc31b801838f2652f81e
Gathering data
Threat name:
Win32.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-12 06:54:42 UTC
File Type:
PE (Exe)
Extracted files:
153
AV detection:
1 of 36 (2.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmlozbrqnvk3hxg7w6exxoo4ybm3r6rm3hv7ymnyagby6jss7apa._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:vidar botnet:e9eb8ce59e9522ba4a5c63a6bf0e2a38 credential_access defense_evasion discovery execution loader persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/260613-sgzsmafz9t/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Looks for VMWare Tools registry key
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Detects DonutLoader
Family: DonutLoader
Family: Vidar
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
https://135.181.224.74
https://telegram.me/d77xtr
https://steamcommunity.com/profiles/76561198694566254
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:GenesisStealer_Installer_NSIS_MaaS_Template
Create hunting rule
Author:n3r
Description:GenesisStealer NSIS installer (MaaS template). Imphash-based broad detector - also catches ScarfaceStealer / RemusStealer / VoidStealer variants sharing the same installer shell.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 7b16ec86306d55b3dcdfb7897bb9dcc059b8fa2cd9ebfc31b801838f2652f81e

(this sample)

Executable exe 372270f87bb8f4b5c044ff38f7d8adedc61e158435b068a961b5450ad0e8d8b1

  
Link
https://tria.ge/260613-rz7erafz4w/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 372270f87bb8f4b5c044ff38f7d8adedc61e158435b068a961b5450ad0e8d8b1
  
Dropping
MD5 1dc078082492fd4aeaa427b7c7947056
  
Dropping
SHA256 d7f510d73fa0c926a8e0fccf92c99fcaadcd58708227368a4878663bc0ec2587
  
Dropping
MD5 2eb88c1364140da4d32f9d21487cef9f

Comments