MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960
SHA3-384 hash: 5ad9d9385aaa9560d5be53bbbba192fbaddbc7b242bd40e3962b1dc19352c5ac88488b38abd666c174faa6e561ac6d01
SHA1 hash: a3ad8b6eeac533ac09969b7a314c732ec8ad0102
MD5 hash: b060c498353e9f4b9612c017871de642
humanhash: river-mike-winner-don
File name:eNLe4nm.exe
Download: download sample
File size:225'792 bytes
First seen:2026-03-15 07:00:31 UTC
Last seen:2026-03-15 07:42:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (387 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:8jDKWGupNPG5d2uKwQQj9314fbEu4AT1NavHkPEd:yPGupNPw2uFcjavHF
TLSH T1942413ECD2B8F4CEE4F3937D77A96D45FA102860F48391EA1D2189C2E9A9481FD43719
TrID 60.0% (.EXE) UPX compressed Win64 Executable (70117/5/12)
23.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
5.5% (.EXE) Win64 Executable (generic) (6522/11/2)
4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Skynet11
Tags:exe UPX vidar
File size (compressed) :225'792 bytes
File size (de-compressed) :657'408 bytes
Format:win64/pe
Unpacked file: dc8308cff8462c96f8a9b9cedaa4d0711d590a532df4ed1084dfc6c4769926e1

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
AU AU
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
Link:
https://research.acce.ciphertechsolutions.com/results/aeb47fb4-09a1-491d-ab30-b55c8314bbd4/
Malware family:
n/a
ID:
1
File name:
eNLe4nm.exe
Verdict:
Malicious activity
Analysis date:
2026-03-15 06:26:40 UTC
Tags:
stealer upx xor-url generic
Link:
https://app.any.run/tasks/84519c6b-cd79-4d85-a194-78c01130bc4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57505/
Detection(s):
SecuriteInfo.com.FileRepMalware.69816133.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b6512093b644ca466a3c0c
Tags:
ransomware obfuscated small
Gathering data
Verdict:
Malicious
Labled as:
Ulise.Generic
Link:
https://www.hybrid-analysis.com/sample/af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960
Result
Gathering data
Verdict:
Clean
File Type:
exe x64
Link:
https://opentip.kaspersky.com/af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6fe6c146-07e3-4576-8240-b71b5500cf55
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960/
Verdict:
Malicious
Threat:
Family.VIDAR
Link:
https://tip.neiki.dev/file/af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960
Threat name:
Win64.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2026-03-15 06:26:42 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 36 (52.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5cbybud6bzet4fju3uiv7z52whiy5mxmjfcognkku2gj6fkvfqa._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:4568597180ef773b45912528520889f8 stealer upx
Link:
https://tria.ge/reports/260315-htde2ses9z/
Behaviour
UPX packed file
Detects Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://telegram.me/mm8hyx
https://steamcommunity.com/profiles/76561198728266687
Unpacked files
SH256 hash:
af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960
MD5 hash:
b060c498353e9f4b9612c017871de642
SHA1 hash:
a3ad8b6eeac533ac09969b7a314c732ec8ad0102
Link:
https://www.unpac.me/results/0d367fe4-3414-4b2f-a76f-92ce7db2c7f8/
SH256 hash:
dc8308cff8462c96f8a9b9cedaa4d0711d590a532df4ed1084dfc6c4769926e1
MD5 hash:
0ffb10a129af3f1bd3463c4df23443db
SHA1 hash:
c25b3cf29cdcc3ee6c9fdb3f04fa2c354dfe645a
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
SUSP_XORed_Mozilla
Create hunting rule
Link:
https://www.unpac.me/results/0d367fe4-3414-4b2f-a76f-92ce7db2c7f8/
Parent samples :
af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960
dc8308cff8462c96f8a9b9cedaa4d0711d590a532df4ed1084dfc6c4769926e1
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af441c0683f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:suspicious_PEs
Create hunting rule
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe af441c0683f07249f0a9a6e88aff3dd58e8c7597624a2719aa553464f8aaa960

(this sample)

Executable exe dc8308cff8462c96f8a9b9cedaa4d0711d590a532df4ed1084dfc6c4769926e1

  
URLhaus
https://urlhaus.abuse.ch/url/3794639/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57505/
  
Dropping
SHA256 dc8308cff8462c96f8a9b9cedaa4d0711d590a532df4ed1084dfc6c4769926e1
  
Dropping
MD5 0ffb10a129af3f1bd3463c4df23443db

Comments