MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b72b274db8d5ec8a8e192876de28a5f21d393654b3b4abf67941c787dd071e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b72b274db8d5ec8a8e192876de28a5f21d393654b3b4abf67941c787dd071e9
SHA3-384 hash: df69638f803c15e5e569438494bea7a75b7a080f19ab0fb4236ded1fbb0fd3625069ac425481de2b2e0eb6a9c0b3eca6
SHA1 hash: dd9991363d126fe99f967b17f272f09101f2b1b9
MD5 hash: 682f01176544192304163bcb5b4a6b69
humanhash: zulu-apart-maine-ohio
File name:SecuriteInfo.com.Win64.MalwareX-gen.17353.20069
Download: download sample
Signature Vidar
Create hunting rule
File size:518'184 bytes
First seen:2025-05-12 15:39:53 UTC
Last seen:2025-05-13 12:48:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e2a6ecfffc5d43a7565ef87874e92c4 (49 x LummaStealer, 13 x Vidar, 3 x Stealc)
ssdeep 12288:kLrjDsMQNu7VTrw5ZvFFO4rAieZkjIRKI68zxEOXIIEO:KrjDsNCTrw3TnEzn4It
Threatray 229 similar samples on MalwareBazaar
TLSH T1A8B4BE2AD64264EBFD6B00B28A226684347A7D22873C1FFF67E0D7311E176D41E39725
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe vidar

Intelligence

File Origin
# of uploads :
3
# of downloads :
479
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.17353.20069.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68211bd24a59e5a2ce03bca0
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint invalid-signature microsoft_visual_cc packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/68221669c7418694c8a929d0/reports/7d864aca-cdd0-46f9-87a3-d53110130f9b/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/8b72b274db8d5ec8a8e192876de28a5f21d393654b3b4abf67941c787dd071e9
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f129ea75-3dee-4402-b7a5-d6f4616c5eff
Result
Threat name:
LummaC Stealer, Vidar, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1688129
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to infect the boot sector
Creates multiple autostart registry keys
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Locky time evasion found (measures execution of CloseHandle and GetProcessHeap)
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1688129 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 12/05/2025 Architecture: WINDOWS Score: 100 109 blackswmxc.top 2->109 111 32.aa.4t.com 2->111 113 8 other IPs or domains 2->113 141 Suricata IDS alerts for network traffic 2->141 143 Found malware configuration 2->143 145 Malicious sample detected (through community Yara rule) 2->145 147 16 other signatures 2->147 13 SecuriteInfo.com.Win64.MalwareX-gen.17353.20069.exe 2->13         started        16 IKGDDP.exe 2->16         started        19 IKGDDP.exe 2->19         started        21 msedge.exe 104 636 2->21         started        signatures3 process4 dnsIp5 195 Writes to foreign memory regions 13->195 197 Allocates memory in foreign processes 13->197 199 Injects a PE file into a foreign processes 13->199 24 MSBuild.exe 35 13->24         started        89 C:\Users\user\AppData\Local\...\LUQZIW.exe, PE32 16->89 dropped 201 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->201 29 LUQZIW.exe 16->29         started        91 C:\Users\user\AppData\Local\...\OSJKKW.exe, PE32 19->91 dropped 31 OSJKKW.exe 19->31         started        115 192.168.2.23 unknown unknown 21->115 117 239.255.255.250 unknown Reserved 21->117 33 msedge.exe 21->33         started        35 msedge.exe 21->35         started        37 msedge.exe 21->37         started        39 msedge.exe 21->39         started        file6 signatures7 process8 dnsIp9 119 32.aa.4t.com 78.46.233.21, 443, 49686, 49687 HETZNER-ASDE Germany 24->119 121 t.me 149.154.167.99, 443, 49685, 49811 TELEGRAMRU United Kingdom 24->121 127 2 other IPs or domains 24->127 97 C:\Users\user\AppData\...\XClient[1].exe, PE32 24->97 dropped 99 C:\Users\user\...\LisuasControl[1].exe, PE32+ 24->99 dropped 101 C:\Users\user\AppData\...\ShtrayEasy[1].exe, PE32 24->101 dropped 103 3 other malicious files 24->103 dropped 161 Attempt to bypass Chrome Application-Bound Encryption 24->161 163 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->163 165 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->165 171 6 other signatures 24->171 41 pph4eu37qi.exe 24->41         started        45 9zcba1nym7.exe 24->45         started        47 m79zukxtje.exe 24->47         started        49 3 other processes 24->49 167 Multi AV Scanner detection for dropped file 29->167 169 Creates multiple autostart registry keys 29->169 123 13.107.246.69, 443, 49774, 49775 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->123 125 s-part-0043.t-0009.fb-t-msedge.net 13.107.253.71, 443, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->125 129 35 other IPs or domains 33->129 file10 signatures11 process12 dnsIp13 105 C:\Users\user\AppData\Local\...XGVPV.exe, PE32 41->105 dropped 173 Multi AV Scanner detection for dropped file 41->173 175 Locky time evasion found (measures execution of CloseHandle and GetProcessHeap) 41->175 177 Contains functionality to detect virtual machines (IN, VMware) 41->177 193 4 other signatures 41->193 52 EXGVPV.exe 41->52         started        179 Writes to foreign memory regions 45->179 181 Allocates memory in foreign processes 45->181 183 Injects a PE file into a foreign processes 45->183 56 MSBuild.exe 45->56         started        185 Antivirus detection for dropped file 47->185 187 Bypasses PowerShell execution policy 47->187 189 Adds a directory exclusion to Windows Defender 47->189 59 powershell.exe 47->59         started        61 powershell.exe 47->61         started        107 192.168.2.7, 138, 443, 49228 unknown unknown 49->107 191 Monitors registry run keys for changes 49->191 63 chrome.exe 49->63         started        65 msedge.exe 49->65         started        67 conhost.exe 49->67         started        69 timeout.exe 49->69         started        file14 signatures15 process16 dnsIp17 93 C:\Users\user\AppData\Local\...\IKGDDP.exe, PE32 52->93 dropped 149 Multi AV Scanner detection for dropped file 52->149 151 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 52->151 71 IKGDDP.exe 52->71         started        131 blackswmxc.top 104.21.55.211, 443, 49803, 49804 CLOUDFLARENETUS United States 56->131 153 Query firmware table information (likely to detect VMs) 56->153 155 Loading BitLocker PowerShell Module 59->155 75 conhost.exe 59->75         started        77 conhost.exe 61->77         started        133 pki-goog.l.google.com 142.250.68.227, 443, 49696, 49714 GOOGLEUS United States 63->133 135 www.google.com 192.178.49.164, 443, 49704, 49709 GOOGLEUS United States 63->135 137 4 other IPs or domains 63->137 file18 signatures19 process20 file21 95 C:\Users\user\AppData\Local\...\QYFLKY.exe, PE32+ 71->95 dropped 157 Multi AV Scanner detection for dropped file 71->157 159 Creates multiple autostart registry keys 71->159 79 QYFLKY.exe 71->79         started        signatures22 process23 signatures24 203 Multi AV Scanner detection for dropped file 79->203 205 Writes to foreign memory regions 79->205 207 Allocates memory in foreign processes 79->207 209 Injects a PE file into a foreign processes 79->209 82 MSBuild.exe 79->82         started        85 MSBuild.exe 79->85         started        process25 signatures26 139 Tries to harvest and steal browser information (history, passwords, etc) 82->139 87 chrome.exe 82->87         started        process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8b72b274db8d5ec8a8e192876de28a5f21d393654b3b4abf67941c787dd071e9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b72b274db8d5ec8a8e192876de28a5f21d393654b3b4abf67941c787dd071e9/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-11 19:08:41 UTC
File Type:
PE+ (Exe)
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnzle5g3rvpmrkhbskdw3yukl4q5he3fjm5uvp3hsqohq7oqohuq._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
1baf394f04ba7c67e5f53c18d6510b81f472af818b5b94f3aec079d7d4688e5b
Vidar
21bfbc7ad27302a1b12edc842d257ec522b48ccb7079925c76f686beb9772bd1
Vidar
2c3066d84a1942c8a7d0873d6863e47b73dca05a07283e52e567533447a7afc9
Vidar
4dfc09bfab1e813c8122d6f8c3d83966346fe676464497ce100e8c385fe5e5f9
Vidar
56adade75a7578033998ac7d63dfb1b307f560341d2cbec9dbbd9c59e532733a
Vidar
8b72b274db8d5ec8a8e192876de28a5f21d393654b3b4abf67941c787dd071e9
Vidar
97b18507cb1ab250f8d1669ce402d79fdbaefb530cce505aa995c861d8ebd946
Vidar
d74e49dd237c22caf3dd5700bdca67bcc7d636e7f57ee32860c99b283b3a7ecb
Vidar
error
Vidar
+ 219 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:vidar family:xworm botnet:bae6b16ce602da6d377e5d6e504feee4 credential_access cryptone discovery execution packer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250512-s4d5fatxb1/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
CryptOne packer
Detect Vidar Stealer
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Vidar
Vidar family
Xworm
Xworm family
Malware Config
C2 Extraction:
https://t.me/m00f3r
https://steamcommunity.com/profiles/76561199851454339
94.26.90.81:2404
https://blackswmxc.top/bgry
https://flowerexju.bet/lanz
https://nzmedtipp.live/mnvzx
https://easterxeen.run/zavc
https://araucahkbm.live/baneb
https://overcovtcg.top/juhd
https://posseswsnc.top/akds
https://featurlyin.top/pdal
Verdict:
Suspicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/19e9b35e-9b5d-4700-92b6-e6ffa5becaf4
Unpacked files
SH256 hash:
8b72b274db8d5ec8a8e192876de28a5f21d393654b3b4abf67941c787dd071e9
MD5 hash:
682f01176544192304163bcb5b4a6b69
SHA1 hash:
dd9991363d126fe99f967b17f272f09101f2b1b9
Link:
https://www.unpac.me/results/4ef746b0-ee5f-4042-8a00-6eafd7194dbb/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b72b274db8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b72b274db8d5ec8a8e192876de28a5f21d393654b3b4abf67941c787dd071e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 8b72b274db8d5ec8a8e192876de28a5f21d393654b3b4abf67941c787dd071e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542116/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments