MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 17 File information Comments

SHA256 hash:	b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2
SHA3-384 hash:	e5806d92cb864d360d08376c3720217b089f5a7cb629b17b0a708e20eb69571f603dbf688119ad84e8b6a86bd537cc73
SHA1 hash:	82957cc6ee2230073765125db786d6376d0974f9
MD5 hash:	31cae31577ae0648eba8c79a84cace9c
humanhash:	emma-nine-chicken-emma
File name:	file
Download:	download sample
File size:	217'088 bytes
First seen:	2026-02-22 00:35:02 UTC
Last seen:	2026-02-22 01:22:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ee53c10aff1d01eafea53328179e33a2 (25 x Vidar, 1 x XenoRAT, 1 x Smoke Loader)
ssdeep	3072:EX7TDNLfd0IuGsNgUIlcLds5GQ/cnb7Ukd93ApqAamXlrKpxSI9mTTs7YpM1SKt5:u71x02XrkdsEQ/EPld5AgBuWp+QYpOt
TLSH	T17D24236ADB531E23FC6701741929F705F553686A2F7E472738346B8962ECD8ACB483B0
TrID	60.0% (.EXE) UPX compressed Win64 Executable (70117/5/12) 23.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 5.5% (.EXE) Win64 Executable (generic) (6522/11/2) 4.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 UPX

Bitsight

url: http://130.12.180.43/files/gop/random.exe

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	217'088 bytes
File size (de-compressed) :	615'424 bytes
Format:	win64/pe
Unpacked file:	72cf8ed16f27a07225e88c4871a7e9cda0b089c086e3a84e40cda6704cabedb2

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PEPacker Vidar

Details

PEPacker

a UPX version number and an unpacked binary

Vidar

c2 urls, useragents, c2 handshake magic parameters, a version, and a missionid

Link:

https://research.acce.ciphertechsolutions.com/results/d469b640-f93d-41fa-8025-9ead6daaf47c/

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2026-02-22 00:36:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f2375066-a484-4483-8af2-8ce071e32afb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/54024/

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699a4f4bc950ab5d9ab036ab

Tags:

ransomware obfuscated small

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug fingerprint obfuscated packed packed packed upx vidar zusy

Link:

https://www.filescan.io/uploads/699a4f4810e80629d4ecce3e/reports/1612b7ff-755b-4d5f-92dc-f4d79e514ce3/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2

Result

Gathering data

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a67b9373-f0c6-43d7-aad6-c34141ca8e3d

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/31cae31577ae0648eba8c79a84cace9c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2

Threat name:

Win64.Infostealer.Tinba

Status:

Malicious

First seen:

2026-02-22 00:35:23 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=woclucwttqe77zlexishv3zsepll6ugkh7eseao3j3lhvufbutja._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar collection discovery spyware stealer upx

Link:

https://tria.ge/reports/260222-axhj6say5f/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Time Discovery

UPX packed file

Accesses Microsoft Outlook profiles

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detects Vidar Stealer

Vidar

Vidar family

Unpacked files

SH256 hash:

b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2

MD5 hash:

31cae31577ae0648eba8c79a84cace9c

SHA1 hash:

82957cc6ee2230073765125db786d6376d0974f9

Link:

https://www.unpac.me/results/05e26a7f-ad16-4207-a6ba-745c38ac0a69/

SH256 hash:

72cf8ed16f27a07225e88c4871a7e9cda0b089c086e3a84e40cda6704cabedb2

MD5 hash:

e2d7f12b53c2018279872b478a1801f3

SHA1 hash:

09b622c95ab36cee278d0ca181eb6c2b80df9287

Detections:

SUSP_XORed_URL_In_EXE

SUSP_XORed_Mozilla

Link:

https://www.unpac.me/results/05e26a7f-ad16-4207-a6ba-745c38ac0a69/

Parent samples :

b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2
72cf8ed16f27a07225e88c4871a7e9cda0b089c086e3a84e40cda6704cabedb2

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b384ba0ad39c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe b384ba0ad39c09ffe564ba247aef3223d6bf50ca3fc92201db4ed67ad0a1a4d2

(this sample)

exe 72cf8ed16f27a07225e88c4871a7e9cda0b089c086e3a84e40cda6704cabedb2

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/54024/

URLhaus

https://urlhaus.abuse.ch/url/3782523/

Dropping

SHA256 72cf8ed16f27a07225e88c4871a7e9cda0b089c086e3a84e40cda6704cabedb2

Dropping

MD5 e2d7f12b53c2018279872b478a1801f3

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample