MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1bfcb9d31c61a155596b3b4bdfddd7e1478d2ee91665a1ddb57ca0346f8fc2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 10 File information Comments

SHA256 hash:	c1bfcb9d31c61a155596b3b4bdfddd7e1478d2ee91665a1ddb57ca0346f8fc2f
SHA3-384 hash:	05e3672c4dcb08d68b3c625ea4221dd383cfc41b12d2531e5a1846cd9cb0db71b4ab1913b5f86becb33809156cebd468
SHA1 hash:	a7273002854e3f12c7375f383e0df1052e85bdcb
MD5 hash:	8ba521eb77cc270d70d9ade4f91c0775
humanhash:	spaghetti-coffee-timing-cola
File name:	SecuriteInfo.com.Win64.MalwareX-gen.93125741
Download:	download sample
Signature	Vidar Create hunting rule
File size:	403'456 bytes
First seen:	2025-08-17 08:23:34 UTC
Last seen:	2025-08-17 09:22:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9734d9835797d8b9d0342c1ca5c04bb0 (2 x Vidar)
ssdeep	6144:JJ8gf3w084loQZtqGMaO1AhjXuIEmt2GdZtpJyGB5VFdeF/LH4:/8kwgXGGJO16Du40orpEGFOF
TLSH	T1F284182587EB0A9AF413DC348413D727D7717E6683C0A26BE374DAAD2F22923956DF04
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

SecuriteInfo.com.Win64.MalwareX-gen.93125741

Verdict:

Malicious activity

Analysis date:

2025-08-17 08:25:34 UTC

Tags:

telegram vidar stealer stealc

Link:

https://app.any.run/tasks/5ee5ae88-ee90-46cd-9f9c-e8891a59a01b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/21764/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.93125741.UNOFFICIAL

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a191c68fd55a79c52843f5

Tags:

stealer emotet virus sage

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm base64 cmd crypto evasive fingerprint hacktool lolbin microsoft_visual_cc rundll32 stealer

Link:

https://www.filescan.io/uploads/68a191c1a4bdac9f5b9a43d0/reports/0c83c2f0-f827-4ec9-b6ea-6c25cbe6d480/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/c1bfcb9d31c61a155596b3b4bdfddd7e1478d2ee91665a1ddb57ca0346f8fc2f

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aa394ba3-814d-431d-a57e-8304f32d6a63

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c1bfcb9d31c61a155596b3b4bdfddd7e1478d2ee91665a1ddb57ca0346f8fc2f

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/8ba521eb77cc270d70d9ade4f91c0775

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1bfcb9d31c61a155596b3b4bdfddd7e1478d2ee91665a1ddb57ca0346f8fc2f/

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-08-17 07:48:36 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yg74xhjryynbkvmwwo2l37o5pykhruxosftfuho3k7fagrxy7qxq._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar credential_access defense_evasion discovery spyware stealer

Link:

https://tria.ge/reports/250817-kazkaatwey/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Verdict:

Suspicious

Tags:

stealer vidar Stealc

YARA:

EXE_Vidar_May_2024

Link:

https://app.threat.zone/submission/30ce556d-845e-4e42-bfd0-c7f0c2db035c

Unpacked files

SH256 hash:

c1bfcb9d31c61a155596b3b4bdfddd7e1478d2ee91665a1ddb57ca0346f8fc2f

MD5 hash:

8ba521eb77cc270d70d9ade4f91c0775

SHA1 hash:

a7273002854e3f12c7375f383e0df1052e85bdcb

Link:

https://www.unpac.me/results/42f81dd5-63cc-42e7-ab0d-1869b5b0cdd1/

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c1bfcb9d31c6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c1bfcb9d31c61a155596b3b4bdfddd7e1478d2ee91665a1ddb57ca0346f8fc2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	gcleaner Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked gcleaner stealer malware samples.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Vidar_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21764/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (NX_COMPAT)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CreateStreamOnHGlobal
DP_API	Uses DP API	CRYPT32.dll::CryptUnprotectData
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteExA SHELL32.dll::SHFileOperationA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateRemoteThread KERNEL32.dll::CreateProcessA KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::VirtualAllocEx KERNEL32.dll::WriteProcessMemory
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeA KERNEL32.dll::GetVolumeInformationA KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WinExec KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::GetWindowsDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameA ADVAPI32.dll::GetUserNameA
WIN_BCRYPT_API	Can Encrypt Files	bcrypt.dll::BCryptDecrypt bcrypt.dll::BCryptDestroyKey bcrypt.dll::BCryptGenerateSymmetricKey bcrypt.dll::BCryptOpenAlgorithmProvider bcrypt.dll::BCryptSetProperty bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_CRYPT_API	Uses Windows Crypt API	CRYPT32.dll::CryptBinaryToStringA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegGetValueA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::CloseDesktop

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample