MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c78a1243f82d3f5ea27d60b30524df41ef238482a4bc2ef0c414e14bed1d256. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c78a1243f82d3f5ea27d60b30524df41ef238482a4bc2ef0c414e14bed1d256
SHA3-384 hash: f2df4b3b90ec0f4389ff1fe3bd3a6c4594ac3d379f5adbfe3fc425f427c585f46800142e149dcb8533929049356fc6b7
SHA1 hash: 9e67b48e81abfe86c9fa9093e07493269c395abf
MD5 hash: c5ad9a93b22622ae100aff54ae31dc8a
humanhash: wyoming-snake-spaghetti-yankee
File name:Howard_patched.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:2'736'128 bytes
First seen:2025-02-13 20:27:10 UTC
Last seen:2025-02-14 06:50:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fe42871ff8912bb928dd62980b167abf (2 x Vidar)
ssdeep 49152:Xq91oXkg/tJbF4AEv/Uk9YzZzi4rPUUxva:a91AtFJSAUzYzZzfrPUUE
TLSH T1B0C5C001B6E780A0E7591A3008B6AB785B3E7DA51F318ACB2754FE5DBD321E17D35322
TrID 31.4% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
23.5% (.EXE) InstallShield setup (43053/19/16)
17.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.7% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
File icon (PE):PE icon
dhash icon 30f6aae8a8aaf630 (3 x Vidar)
Reporter SI_FalconTeam
Tags:exe piratefi vidar


Avatar
SI_FalconTeam
Vidar stealer distributed via Steam game "PirateFi". C2: opbafindi[.]com

Intelligence

File Origin
# of uploads :
4
# of downloads :
720
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Howard_patched.exe
Verdict:
Malicious activity
Analysis date:
2025-02-13 20:30:31 UTC
Tags:
telegram stealer
Link:
https://app.any.run/tasks/9c51459c-d243-4f22-8006-d66c5c84773a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.31757.2592.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ae55ada0fd713c335ac507
Tags:
injection dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto evasive explorer fingerprint keylogger lolbin microsoft_visual_cc obfuscated overlay packed packed packer_detected rundll32
Link:
https://www.filescan.io/uploads/67ae55a3fc59120fe522a618/reports/f1948f78-2661-4a64-8c00-b4114a5542e0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/9c78a1243f82d3f5ea27d60b30524df41ef238482a4bc2ef0c414e14bed1d256
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/915dc2c5-7b24-4df5-af86-23d8cc173259
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614563
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
11%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/9c78a1243f82d3f5ea27d60b30524df41ef238482a4bc2ef0c414e14bed1d256
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c78a1243f82d3f5ea27d60b30524df41ef238482a4bc2ef0c414e14bed1d256/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tr4kcjb7qlj7l2rh2yftausn6qppeocifjf4f3ymifhbjpwr2jla._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250213-y8hajstrcn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ff4d57f0-4d77-4dd0-81f3-b550266b771c
Unpacked files
SH256 hash:
9c78a1243f82d3f5ea27d60b30524df41ef238482a4bc2ef0c414e14bed1d256
MD5 hash:
c5ad9a93b22622ae100aff54ae31dc8a
SHA1 hash:
9e67b48e81abfe86c9fa9093e07493269c395abf
Link:
https://www.unpac.me/results/af8f0d75-57e2-4c5c-a9f3-a15feb751492/
SH256 hash:
cc2f661aac9c05646933f717e629a69be93d8d06803066289d6dc1105aac6cd2
MD5 hash:
9d7744e15bb8e3d005079b18979c8544
SHA1 hash:
7b326c96e5f3f6baaf6e9390b119a4ffb3df2c64
Link:
https://www.unpac.me/results/af8f0d75-57e2-4c5c-a9f3-a15feb751492/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c78a1243f82d3f5ea27d60b30524df41ef238482a4bc2ef0c414e14bed1d256

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Stealc_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Stealc Payload
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Vidar_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 9c78a1243f82d3f5ea27d60b30524df41ef238482a4bc2ef0c414e14bed1d256

(this sample)

  
X
https://x.com/SI_FalconTeam/status/1890133585622966288
  
Delivery method
Distributed via web download

Comments