MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 16

Intelligence 16 IOCs YARA 21 File information Comments

SHA256 hash:	ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660
SHA3-384 hash:	e3fb2db9a4bcb41afbad26c85d675dc14e1954b468032588ae178927b0630186dc10823bea0b273ffd53b2e331751cd6
SHA1 hash:	ae75b7b03d865907a4569db0b556c07e53eaeed0
MD5 hash:	8c2d167472767a7cdb62df96f4b20bcc
humanhash:	harry-alpha-king-pasta
File name:	file.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	5'223'936 bytes
First seen:	2025-11-14 07:20:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (92 x Rhadamanthys, 62 x Vidar, 41 x LummaStealer)
ssdeep	49152:6+Me9hEivzvJm2z7G7bAM64YmIY4OiZrq1DfP+rsNADtV6v+L0uSwiPSCmDS+5uy:6KE0SYmP4OiZrq1DfPHNADtV6v+LC0
Threatray	147 similar samples on MalwareBazaar
TLSH	T1A136AE177EE9496AE05DE231CCF356A666367C48673173F32A203E3A2E327C10975B25
TrID	37.3% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	de-pumped exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

_ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660.exe

Verdict:

Malicious activity

Analysis date:

2025-11-14 07:22:00 UTC

Tags:

xor-url golang generic stealer stealc vidar

Link:

https://app.any.run/tasks/c200b59c-c519-48f9-ab0d-fe93628723fc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38174/

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6916d877434cd67b17c1257d

Tags:

dridex emotet cobalt

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-vm golang installer-heuristic packed

Link:

https://www.filescan.io/uploads/6916d87257cbae4ee07a4301/reports/b5c9f80a-5ba2-4b92-9325-9979b85e3931/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-14T04:31:00Z UTC

Last seen:

2025-11-16T01:59:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Agent.smewfx Trojan.Win64.Agent.sb PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/82004b66-4b0d-4858-a968-e37cbd85b0c6

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad.mine

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1813995

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Found malware configuration

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Tries to detect virtualization through RDTSC time measurements

Unusual module load detection (module proxying)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

64%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/8c2d167472767a7cdb62df96f4b20bcc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660

Threat name:

Win64.Spyware.Vidar

Status:

Malicious

First seen:

2025-11-14 07:21:26 UTC

File Type:

PE+ (Exe)

Extracted files:

820

AV detection:

15 of 24 (62.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xkeszajcvzeab5w3eq33d52fhhdxhahyr3nuxifvsidhx27kszqa._file

Verdict:

malicious

Label(s):

vidar

Vidar

6c1b9a617711d02a3a3170c5805f71a386dec8de1be6717cda81769d6aa97e18

Vidar

8079dce90f0b031b991d22dbf2a932695362c8ce2b906d4cfeb0dd1e2e71aa14

Vidar

96a1a409c6c327c77baf62132e237409c6b8363030148f4cea0b68cb303f3431

Vidar

ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660

Vidar

c3b5eea41fef74df5e90f71007896efb51cad01ac718fd31334eaebaa1802b57

Vidar

dbff3a58feff4ea4a536ab565a04c68928443c2e83f5df45e6f5d47fae1ed7de

Vidar

error

Vidar

fc1ef6b3e54b674a094befeac22c4ae6b4e1d45b737346d05e36a56682aa0a5a

Vidar

+ 137 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:c9eb78c271de2b3ea46a51b7571e222c campaign:tkt1kr discovery spyware stealer

Link:

https://tria.ge/reports/251114-h6vj4awqav/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Drops file in Windows directory

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detects Vidar Stealer

Vidar

Vidar family

Malware Config

C2 Extraction:

https://telegram.me/tkt1kr

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c4f7dc7d-f7ae-45e4-85d4-22e87f0db131

Unpacked files

SH256 hash:

ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660

MD5 hash:

8c2d167472767a7cdb62df96f4b20bcc

SHA1 hash:

ae75b7b03d865907a4569db0b556c07e53eaeed0

Link:

https://www.unpac.me/results/7c9401b2-1554-41d1-926a-a9caf9d79bae/

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ba892c8122ae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/ba892c8122ae4800f6db2437b1f74539c77380f88edb4ba0b592067bebea9660

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834