MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80a2df6d67c251c6ae13dae5e9189500f9f22ed52928e6484082413ccf9e14db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	80a2df6d67c251c6ae13dae5e9189500f9f22ed52928e6484082413ccf9e14db
SHA3-384 hash:	774023d9781e8dd31475e778914a8b3b9899d7e46c596074c8c0746fa6d56b8f4d33105f452dcb1540dc0a46679c78ae
SHA1 hash:	4814f86089987b8bd083cf6212c3cb7d2ace58f6
MD5 hash:	262dfb3c2333afb399b1a384fa65bdeb
humanhash:	ohio-undress-hotel-carolina
File name:	Howard.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	2'711'552 bytes
First seen:	2025-02-14 05:30:15 UTC
Last seen:	2025-02-14 07:10:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fe42871ff8912bb928dd62980b167abf (2 x Vidar)
ssdeep	49152:Qq91oXkg/tJbF4AEv/Uk9YzZzi4rPUUxv:D91AtFJSAUzYzZzfrPUU
Threatray	632 similar samples on MalwareBazaar
TLSH	T1DDC5C001B6E780A0E7591A3008B6AB785B3E7DA51F31CA8B2754FE5DBD321E17D35322
TrID	39.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 29.6% (.EXE) InstallShield setup (43053/19/16) 11.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 7.2% (.EXE) Win64 Executable (generic) (10522/11/4) 3.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
File icon (PE):
dhash icon	30f6aae8a8aaf630 (3 x Vidar)
Reporter	abuse_ch
Tags:	de-pumped exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

574

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Howard.exe

Verdict:

Malicious activity

Analysis date:

2025-02-14 05:38:18 UTC

Tags:

telegram stealer

Link:

https://app.any.run/tasks/d1ec983a-d041-4d4b-84f7-c2f8325fc765

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.24875.30207.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67aed4f028ab76d43a5ae099

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Behavior that indicates a threat

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm crypto evasive explorer fingerprint keylogger lolbin microsoft_visual_cc obfuscated overlay packed rundll32

Link:

https://www.filescan.io/uploads/67aed4ed77143dfbeacc4ace/reports/1b488321-c114-48dc-9ae3-059c344f8745/overview

Verdict:

Suspicious

Labled as:

TR/AD.Nekark

Link:

https://www.hybrid-analysis.com/sample/80a2df6d67c251c6ae13dae5e9189500f9f22ed52928e6484082413ccf9e14db

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2211ab49-9296-456d-80a9-9f4f4ca443ff

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1614812

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/80a2df6d67c251c6ae13dae5e9189500f9f22ed52928e6484082413ccf9e14db

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/80a2df6d67c251c6ae13dae5e9189500f9f22ed52928e6484082413ccf9e14db/

Threat name:

Win32.Exploit.Vidar

Status:

Malicious

First seen:

2025-02-14 05:31:10 UTC

File Type:

PE (Exe)

Extracted files:

621

AV detection:

20 of 37 (54.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qcrn63lhyji4nlqt3ls6sgevad47elwvfeuomscaqjatzt46ctnq._file

Verdict:

malicious

Label(s):

vidar_2025

Vidar

19198e75f7c830441360a42b06e10415f4368300a7590c119c237ea8c67bf23e

Vidar

52fe28150809bd67b4d263b7ec6188551d5f8dbd15587dcbdd93bb420fca346c

Vidar

65fb800ffd674f60ebe7e54164f3e41545651c0a37ed67bbf97d72cef894ed6d

Vidar

81a16262857bdc1497888c2196a6abb068da74a736724f34828b048777560cce

Vidar

efbd528c8ed8c5253b5e191eedc85e30f75778a417b5f427da115e7f44d9dd47

Vidar

error

Vidar

+ 622 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/250214-f69mxatndm/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Downloads MZ/PE file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/94ceb2dd-4a48-4a1d-a1b4-604006d5c122

Unpacked files

SH256 hash:

80a2df6d67c251c6ae13dae5e9189500f9f22ed52928e6484082413ccf9e14db

MD5 hash:

262dfb3c2333afb399b1a384fa65bdeb

SHA1 hash:

4814f86089987b8bd083cf6212c3cb7d2ace58f6

Link:

https://www.unpac.me/results/cb2d0485-06d5-4185-95ae-6bb07dc130c9/

SH256 hash:

cc2f661aac9c05646933f717e629a69be93d8d06803066289d6dc1105aac6cd2

MD5 hash:

9d7744e15bb8e3d005079b18979c8544

SHA1 hash:

7b326c96e5f3f6baaf6e9390b119a4ffb3df2c64

Link:

https://www.unpac.me/results/cb2d0485-06d5-4185-95ae-6bb07dc130c9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/80a2df6d67c2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/80a2df6d67c251c6ae13dae5e9189500f9f22ed52928e6484082413ccf9e14db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Stealc_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Stealc Payload

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)