MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c
SHA3-384 hash: 33591f5b97340bfe29b009a95c874fc81ff6272e80ccfde35a0e812ef5755495c3c996839b328d12177643c65aece51e
SHA1 hash: b684a933e37c6b2ef7480f9694358099696592d1
MD5 hash: 2dc91ce08e75b9fe138ec21e9abbaf4d
humanhash: vermont-two-moon-purple
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:2'372'096 bytes
First seen:2025-10-20 04:02:54 UTC
Last seen:2025-10-20 04:03:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:c7s27YOaQwbxuJnjdIxFl+HheIfl5LXagrFnlPZC/aSYm:c7s27YO7nwkheIffXdrhFZMaS
TLSH T119B5332C3449FD0CF7C5F2382C91D5F856B857D50A911E4B98A271763AEBBA9820DF8C
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe vidar


Avatar
Bitsight
url: http://178.16.55.189/vidar/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-10-20 04:12:53 UTC
Tags:
stealer stealc vidar xor-url generic themida
Link:
https://app.any.run/tasks/7e93a7c8-1c3e-429d-b7c4-fe57205654a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33361/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f5b4a26dc4a08515e35754
Tags:
cobalt spawn small
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Behavior that indicates a threat
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/68f5b49e11ff3db29f64253b/reports/e0e2e3c2-b188-4f03-9bba-1ec4126c8a9e/overview
Verdict:
Malicious
Labled as:
Trojan[Backdoor]/MSIL.Bladabindi
Link:
https://www.hybrid-analysis.com/sample/a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-20T01:25:00Z UTC
Last seen:
2025-10-20T20:29:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.MSIL.Bladabindi.vho HEUR:Trojan-Spy.Win64.Agent.gen
Link:
https://opentip.kaspersky.com/a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f4192ee7-e60a-4471-a2d5-52bdc93edcd6
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/2dc91ce08e75b9fe138ec21e9abbaf4d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c
Threat name:
Win64.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2025-10-20 04:04:32 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uurt6o2742pur3yia3jigmblj7itdzpsvp4ek4ql5aiu7jm4lrwa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/251020-emn2es1rcw/
Behaviour
Checks BIOS information in registry
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c9fadb8-dbba-4fd0-8776-d41e5bf30992
Unpacked files
SH256 hash:
a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c
MD5 hash:
2dc91ce08e75b9fe138ec21e9abbaf4d
SHA1 hash:
b684a933e37c6b2ef7480f9694358099696592d1
Link:
https://www.unpac.me/results/f84be8c0-9ab2-48c3-8559-c362f829120f/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5233f3b5fe6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe a5233f3b5fe69f48ef0806d283302b4fd131e5f2abf845720be8114fa59c5c6c

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/33361/
  
URLhaus
https://urlhaus.abuse.ch/url/3630972/

Comments