MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd
SHA3-384 hash: 944c6aad16495ac52788fed3224de3c885e6ec88cbb0a3bd494980c32de814b7ff2fbc73255784f979720a5d55fca480
SHA1 hash: 7feebbed52f4b5c45ddadeaf0f803eef86586ec4
MD5 hash: 1af5b4fa8674e6d8b179303e8dd2533a
humanhash: kansas-bulldog-wolfram-fillet
File name:WZOVINHP.msi
Download: download sample
Signature Vidar
Create hunting rule
File size:8'175'616 bytes
First seen:2026-01-29 14:41:17 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:ZJLvsAKp4mfLUn5FkbYlBChtF/3wArHmcB1WhrFAEXuQy:/4Tp4mj+kbYYF/fLmcB1WH7y
TLSH T1BD86331079849B7DC7E2B83D419BC6E3DA898E36D35166671B20F5E56B333E0402D2EB
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:ClickFix FakeCaptcha HIjackLoader msi vidar


Avatar
iamaachum
https://pub-50a54badab6f4f408cd8e6c0a3dbfa4f.r2.dev/WZOVINHP.msi

Vidar C2:
https://telegram.me/n1ds03
https://bek.beznervov.com/

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
HijackLoader
download url(s) and a decryption key
HijackLoader
an XOR key and XOR-decrypted/LZNT1 decompressed component
HijackLoader
embedded components, an injection process, and filepaths
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/61969181-5e4e-4128-b1bd-ba98573a1e41/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50667/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697b719ebec9764f452fdb70
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
expired-cert installer installer wix
Link:
https://www.filescan.io/uploads/697b7199930564ff3c7c51c7/reports/359c9165-5b6d-4d16-8472-03dc549cce39/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
Detections:
Trojan.Win32.Penguish.sb Trojan.Win32.Strab.sb
Link:
https://opentip.kaspersky.com/a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd/results?tab=lookup
Result
Threat name:
HijackLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1859808
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected HijackLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1859808 Sample: WZOVINHP.msi Startdate: 29/01/2026 Architecture: WINDOWS Score: 100 58 bek.beznervov.com 2->58 60 www.google.com 2->60 62 telegram.me 2->62 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Antivirus detection for URL or domain 2->86 88 8 other signatures 2->88 11 msiexec.exe 90 50 2->11         started        14 msiexec.exe 3 2->14         started        signatures3 process4 file5 50 C:\Users\user\AppData\Roaming\...\quazip.dll, PE32 11->50 dropped 52 C:\Users\user\AppData\...\openvr_api.dll, PE32 11->52 dropped 54 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32 11->54 dropped 56 11 other malicious files 11->56 dropped 16 Pix_C.exe 17 11->16         started        process6 file7 38 C:\ProgramData\dev_wizard\quazip.dll, PE32 16->38 dropped 40 C:\ProgramData\dev_wizard\openvr_api.dll, PE32 16->40 dropped 42 C:\ProgramData\dev_wizard\VCRUNTIME140.dll, PE32 16->42 dropped 44 11 other files (7 malicious) 16->44 dropped 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->76 78 Switches to a custom stack to bypass stack traces 16->78 80 Found direct / indirect Syscall (likely to bypass EDR) 16->80 20 Pix_C.exe 4 16->20         started        signatures8 process9 file10 46 C:\Users\user\AppData\...\BlizzardError.exe, PE32+ 20->46 dropped 48 C:\Users\user\AppData\Local\...\PortalM.exe, PE32+ 20->48 dropped 90 Maps a DLL or memory area into another process 20->90 92 Switches to a custom stack to bypass stack traces 20->92 94 Found direct / indirect Syscall (likely to bypass EDR) 20->94 24 PortalM.exe 17 20->24         started        28 BlizzardError.exe 20->28         started        signatures11 process12 dnsIp13 70 bek.beznervov.com 172.67.216.194, 443, 49696, 49697 CLOUDFLARENETUS United States 24->70 72 telegram.me 149.154.167.99, 443, 49695 TELEGRAMRU United Kingdom 24->72 96 Tries to harvest and steal browser information (history, passwords, etc) 24->96 98 Writes to foreign memory regions 24->98 100 Allocates memory in foreign processes 24->100 102 5 other signatures 24->102 30 chrome.exe 3 24->30         started        33 conhost.exe 24->33         started        signatures14 process15 dnsIp16 74 192.168.2.5, 138, 443, 49675 unknown unknown 30->74 35 chrome.exe 30->35         started        process17 dnsIp18 64 www.google.com 142.250.64.164, 443, 49715, 49716 GOOGLEUS United States 35->64 66 ogads-pa.clients6.google.com 172.217.165.202, 443, 49730, 49733 GOOGLEUS United States 35->66 68 3 other IPs or domains 35->68
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2026-01-29 14:42:31 UTC
File Type:
Binary (Archive)
Extracted files:
31
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=upf3toyrqw4ctiptg4djjmghtoyic6yw76fqhuqlimma5gx5udoq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
error
Vidar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260129-r2nqescy3f/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a3cbb9bb1185/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

PowerShell (PS) ps1 729e593c24f402e38408308ff4f3dac564c9d159788d39941680048b84b35ec0

Vidar

PowerShell (PS) ps1 0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6

Vidar

Microsoft Software Installer (MSI) msi a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd

(this sample)

  
Link
https://tria.ge/260129-rwm7psct3b/behavioral1
  
Dropped by
SHA256 0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50667/
  
Dropped by
MD5 26585d954a1eed818fc4965be207ccb6

Comments