MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ebfb0ed3d31f3f3340c4b121aaa4b9b32451ca46807965f25310361666f9b7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ebfb0ed3d31f3f3340c4b121aaa4b9b32451ca46807965f25310361666f9b7b
SHA3-384 hash: 585d3861335ac5f9dc04b8bd21c5944bbf08d82c4fca87344d55bf721ec04b79c65d07a663422bced2128c1410cc6ca9
SHA1 hash: 11e633b800d68bc94532f29c37a61db88b90a933
MD5 hash: 1112c0d91931c86989dab2c7b64464b1
humanhash: kentucky-alabama-jersey-november
File name:random.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:2'947'072 bytes
First seen:2025-05-30 08:18:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:LXHAbLtJgvfwUp2DvXJ6lynR4NM2tgKlw2UQqp04Ix75HObEtCteVqo0jZLGDLt5:LO+Hw/HX2Y0bBVBqhjZpZ1fzZYOAeRN
TLSH T104D54B61E429B2CFC48A1B798467CDC668AD07F84B1508C3E87D64BE7EA3CC515B7CA4
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
459
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-30 09:06:10 UTC
Tags:
amadey botnet stealer loader scan smbscan telegram vidar gcleaner auto-startup xmrig lumma themida rdp auto-download auto-sch evasion github sectoprat arechclient2 rat auto generic autoit redline metastealer golang miner
Link:
https://app.any.run/tasks/22f8b809-ea9a-4df7-b285-62c392242151

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6349/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68396cca668438e362e868df
Tags:
shellcode autorun spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/683969d9171e01f959316643/reports/21be99c6-c9ca-4ffb-ad0d-3f049bf1066b/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/9ebfb0ed3d31f3f3340c4b121aaa4b9b32451ca46807965f25310361666f9b7b
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7aae7510-0a9b-4102-bfa5-1847b2987f0d
Result
Threat name:
Amadey, LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702159
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1702159 Sample: random.exe Startdate: 30/05/2025 Architecture: WINDOWS Score: 100 115 uZHzSzbKRUmhfuiAr.uZHzSzbKRUmhfuiAr 2->115 117 tidwhf.live 2->117 119 21 other IPs or domains 2->119 147 Suricata IDS alerts for network traffic 2->147 149 Found malware configuration 2->149 151 Antivirus detection for dropped file 2->151 153 14 other signatures 2->153 10 random.exe 5 2->10         started        14 ramez.exe 2->14         started        16 ramez.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 file5 91 C:\Users\user\AppData\Local\...\ramez.exe, PE32 10->91 dropped 93 C:\Users\user\...\ramez.exe:Zone.Identifier, ASCII 10->93 dropped 169 Detected unpacking (changes PE section rights) 10->169 171 Contains functionality to start a terminal service 10->171 173 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->173 181 2 other signatures 10->181 20 ramez.exe 49 10->20         started        175 Hides threads from debuggers 14->175 177 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->177 179 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->179 25 net.exe 18->25         started        signatures6 process7 dnsIp8 121 185.156.72.96, 49692, 49694, 49697 ITDELUXE-ASRU Russian Federation 20->121 123 185.156.72.2, 49696, 49698, 49701 ITDELUXE-ASRU Russian Federation 20->123 81 C:\Users\user\AppData\Local\...\w54B0Xl.exe, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...behaviorgraphMWvUMq.exe, PE32+ 20->83 dropped 85 C:\Users\user\AppData\Local\...\sGe7ljJ.exe, PE32+ 20->85 dropped 87 19 other malicious files 20->87 dropped 155 Antivirus detection for dropped file 20->155 157 Multi AV Scanner detection for dropped file 20->157 159 Detected unpacking (changes PE section rights) 20->159 161 8 other signatures 20->161 27 w54B0Xl.exe 20->27         started        31 mDwGV6i.exe 3 20->31         started        34 release_file.exe 20->34         started        38 6 other processes 20->38 125 23.95.245.178, 49704, 49707, 80 AS-COLOCROSSINGUS United States 25->125 127 127.0.0.1 unknown unknown 25->127 36 conhost.exe 25->36         started        file9 signatures10 process11 dnsIp12 95 C:\Users\user\AppData\...\Unsubscribe.psd, data 27->95 dropped 97 C:\Users\user\AppData\Local\Temp\Stuart.psd, data 27->97 dropped 99 C:\Users\user\AppData\Local\...\Retailers.psd, data 27->99 dropped 111 9 other malicious files 27->111 dropped 183 Multi AV Scanner detection for dropped file 27->183 185 Writes many files with high entropy 27->185 40 cmd.exe 27->40         started        143 188.37.160.41, 49699, 7706 VODAFONE-PTVodafonePortugalPT Portugal 31->143 187 Antivirus detection for dropped file 31->187 189 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->189 191 Tries to steal Mail credentials (via file / registry access) 31->191 201 4 other signatures 31->201 44 chrome.exe 31->44         started        47 chrome.exe 31->47 injected 55 4 other processes 31->55 101 C:\Windows\System32\iqvw64o.sys, PE32+ 34->101 dropped 103 C:\Windows\System32\IntelGraphicsDriver.sys, PE32+ 34->103 dropped 193 Sample is not signed and drops a device driver 34->193 49 cmd.exe 34->49         started        51 cmd.exe 34->51         started        57 10 other processes 34->57 145 185.156.72.196 ITDELUXE-ASRU Russian Federation 38->145 105 C:\Users\user\AppData\...\8TPieuz8Pqa87.exe, PE32 38->105 dropped 107 C:\Users\user\AppData\Local\...\ONE[1].file, PE32 38->107 dropped 109 C:\Users\user\...\fuckingdllENCR[1].dll, data 38->109 dropped 195 Early bird code injection technique detected 38->195 197 Writes to foreign memory regions 38->197 199 Allocates memory in foreign processes 38->199 203 3 other signatures 38->203 53 MSBuild.exe 38->53         started        59 2 other processes 38->59 file13 signatures14 process15 dnsIp16 89 C:\Users\user\AppData\Local\...\Roster.com, PE32 40->89 dropped 163 Drops PE files with a suspicious file extension 40->163 165 Writes many files with high entropy 40->165 61 cmd.exe 40->61         started        64 conhost.exe 40->64         started        66 tasklist.exe 40->66         started        75 8 other processes 40->75 135 192.168.2.5, 443, 49675, 49691 unknown unknown 44->135 167 Found many strings related to Crypto-Wallets (likely being stolen) 44->167 68 chrome.exe 44->68         started        77 3 other processes 49->77 71 conhost.exe 51->71         started        73 sc.exe 51->73         started        137 tidwhf.live 172.67.192.14 CLOUDFLARENETUS United States 53->137 139 harumseeiw.top 195.82.147.188 DREAMTORRENT-CORP-ASRU Russian Federation 53->139 141 7 other IPs or domains 53->141 79 19 other processes 57->79 file17 signatures18 process19 dnsIp20 113 C:\Users\user\AppData\Local\Temp\750138\K, data 61->113 dropped 129 googlehosted.l.googleusercontent.com 142.251.116.132, 443, 49721 GOOGLEUS United States 68->129 131 www.google.com 173.194.208.99, 443, 49713, 49716 GOOGLEUS United States 68->131 133 6 other IPs or domains 68->133 file21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ebfb0ed3d31f3f3340c4b121aaa4b9b32451ca46807965f25310361666f9b7b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ebfb0ed3d31f3f3340c4b121aaa4b9b32451ca46807965f25310361666f9b7b/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-30 08:18:33 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t273b3j5ghz7gnamjmjbvksltmzekhfenadzmxzfgebwcztptn5q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:redline family:vidar botnet:8d33eb botnet:c38a9426aa2c67a3161d0acc91461384 botnet:nicodrip botnet:venom clients collection credential_access defense_evasion discovery execution exploit infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250530-j7gkaseq2v/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Modifies file permissions
Reads WinSCP keys stored on the system
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Looks for VMWare Tools registry key
Possible privilege escalation attempt
Uses browser remote debugging
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Amadey
Amadey family
AsyncRat
Asyncrat family
Detect Vidar Stealer
RedLine
RedLine payload
Redline family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Malware Config
C2 Extraction:
http://185.156.72.96
https://t.me/sdgsdg23r23
https://t.me/w0d0lm
193.233.237.109:1912
193.124.205.63:4449
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c8506532-9c53-4e87-af6d-3dc1b47c1dfa
Unpacked files
SH256 hash:
9ebfb0ed3d31f3f3340c4b121aaa4b9b32451ca46807965f25310361666f9b7b
MD5 hash:
1112c0d91931c86989dab2c7b64464b1
SHA1 hash:
11e633b800d68bc94532f29c37a61db88b90a933
Link:
https://www.unpac.me/results/6e14e4ef-d687-48ec-b45f-2ad15fd944e1/
SH256 hash:
44af54acbbaf4a439180dbb65fc00a7ddddbd82a02ac32abcbf9fa00e4f2ab57
MD5 hash:
a5cb1aa6836d3518689195ae02c1d9c7
SHA1 hash:
89ebd4f4c8c547bf5ce2ff0ccdcb796d813d9b55
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/6e14e4ef-d687-48ec-b45f-2ad15fd944e1/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9ebfb0ed3d31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ebfb0ed3d31f3f3340c4b121aaa4b9b32451ca46807965f25310361666f9b7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 9ebfb0ed3d31f3f3340c4b121aaa4b9b32451ca46807965f25310361666f9b7b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550737/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6349/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments