MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83989cd752c38c8cfc6dc52cf7535c417068c7e1b89ff9cfb23f6eb6d52dc4f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 15

Intelligence 15 IOCs YARA 21 File information Comments

SHA256 hash:	83989cd752c38c8cfc6dc52cf7535c417068c7e1b89ff9cfb23f6eb6d52dc4f6
SHA3-384 hash:	c4824298acf0accfbf96bb81a0e65980b7bb2462c9dbda1cfd0c5baab0db7d629fab1dcfbb738fc80fcfd44549487c23
SHA1 hash:	c2a9b9be95d39289f72fca96580ca7e3ceace19a
MD5 hash:	c473dc2256befa2c730d92b4c26e6a58
humanhash:	september-september-dakota-november
File name:	filed.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	3'910'664 bytes
First seen:	2025-10-03 06:48:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (92 x Rhadamanthys, 60 x Vidar, 41 x LummaStealer)
ssdeep	49152:x7DzNxbat7/zeWPxo6QQl6SvH5Fu7Rp0g:x73ZW5o6Q8uv0g
TLSH	T1A60649877CA848EAD29DE27589B216727660BC095B3123D33E547A3C2E777C09D7EB04
TrID	37.3% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

www.malwarebazar.com

Verdict:

Malicious activity

Analysis date:

2025-10-03 06:50:01 UTC

Tags:

obfuscated-js arch-exec vidar stealer stealc golang

Link:

https://app.any.run/tasks/b27c1a64-0a21-4585-85c7-b447ea69711b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/29995/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68df720dc21e799f5cd48bc5

Tags:

injection emotet obfusc virus

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

golang invalid-signature obfuscated signed

Link:

https://www.filescan.io/uploads/68df72c174e5a289899f825e/reports/c1700c5f-a671-42b8-a17c-68b761e0d555/overview

Verdict:

Malicious

Labled as:

Trojan_Win32_Wacatac_B_ml

Link:

https://www.hybrid-analysis.com/sample/83989cd752c38c8cfc6dc52cf7535c417068c7e1b89ff9cfb23f6eb6d52dc4f6

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-02T10:33:00Z UTC

Last seen:

2025-10-03T19:07:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/83989cd752c38c8cfc6dc52cf7535c417068c7e1b89ff9cfb23f6eb6d52dc4f6/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ba80c64a-f31c-4aed-96ae-aea775f3e052

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1788543

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Suricata IDS alerts for network traffic

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

38%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/83989cd752c38c8cfc6dc52cf7535c417068c7e1b89ff9cfb23f6eb6d52dc4f6

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83989cd752c38c8cfc6dc52cf7535c417068c7e1b89ff9cfb23f6eb6d52dc4f6/

Threat name:

Win64.Spyware.Vidar

Status:

Suspicious

First seen:

2025-10-02 16:04:17 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 38 (42.11%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qomjzv2syogiz7dnyuwpou24ifygrr7bxcp7tt5sh5xlnvjnyt3a._file

Verdict:

malicious

Label(s):

vidar

Similar samples:

error

Vidar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:abd4e05d396ca9327c005130483ae000n stealer

Link:

https://tria.ge/reports/251003-hngwaatkv9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Vidar

Vidar family

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561198783900411
https://telegram.me/rif0lm

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0ed22311-1249-4825-a5b5-e9287624055b

Unpacked files

SH256 hash:

83989cd752c38c8cfc6dc52cf7535c417068c7e1b89ff9cfb23f6eb6d52dc4f6

MD5 hash:

c473dc2256befa2c730d92b4c26e6a58

SHA1 hash:

c2a9b9be95d39289f72fca96580ca7e3ceace19a

Link:

https://www.unpac.me/results/29c094b9-a192-452d-8052-246c7618053a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/83989cd752c38c8cfc6dc52cf7535c417068c7e1b89ff9cfb23f6eb6d52dc4f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe 83989cd752c38c8cfc6dc52cf7535c417068c7e1b89ff9cfb23f6eb6d52dc4f6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3635670/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/29995/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample