MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 14

Intelligence 14 IOCs YARA 21 File information Comments

SHA256 hash:	d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267
SHA3-384 hash:	359f7aeebaf03f7678e9de1fc9468909a9e771617bc9e4573f7d959858ff10409972cc72fa6739ec813dc73fdc8e8c7f
SHA1 hash:	b5f0df21d6780412f9e8bc23036445085f2a0254
MD5 hash:	1c2f04ab85e3e76e1d43a5039d8610db
humanhash:	colorado-washington-artist-burger
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	2'059'440 bytes
First seen:	2026-03-21 23:26:44 UTC
Last seen:	2026-03-22 00:45:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ebc247a77b4d4a804b261f97a1fd075c (42 x Vidar, 18 x Smoke Loader, 3 x Stealc)
ssdeep	24576:2T9eGXCtHpoVkdVgk8lpHyiiXosWIR3SUMKH0YZr1HXEXP56fB11rWtPdeMGBhj2:2T9eDHiVkdKkxiiXoOZH045HaarH2
Threatray	175 similar samples on MalwareBazaar
TLSH	T1FE95490BBC9418E6C46A97758CB712927B30BC090F3267D75E81BA782FB6BD06C75724
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 signed vidar

Code Signing Certificate

Organisation:	www.walmart.com
Issuer:	GlobalSign ECC OV SSL CA 2018
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-02-20T03:07:20Z
Valid to:	2027-03-24T03:07:19Z
Serial number:	61042bca6e50380db0043f1b
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	dbbf8162aa9f369a52b9fb80cabd110818362552af0fdaf8fa886aaf684e4bc2
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Bitsight

url: http://5.252.21.239/files/unique5/random.exe

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267.exe

Verdict:

Malicious activity

Analysis date:

2026-03-21 07:03:48 UTC

Tags:

evasion payload lumma stealer fingerprinting golang

Link:

https://app.any.run/tasks/4c9b3f26-f62b-493e-946b-83274017c7f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.22199154.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69be42d388c80c01586cb3d1

Tags:

injection cobalt obfusc overt

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Launching a service

Creating a file

Creating a process from a recently created file

Sending an HTTP GET request to an infection source

Sending an HTTP POST request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Connection attempt to an infection source

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan-PSW.Win64.StealC.kc

Link:

https://opentip.kaspersky.com/d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33cd81c3-f39c-4fa3-a6a9-e4dcaa64d32b

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2026-03-21 07:03:51 UTC

File Type:

PE+ (Exe)

AV detection:

15 of 36 (41.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2mpvbjbo7gtwffjc6gsjythbeiinj4mtwoglciugpqidr5u5yjtq._file

Verdict:

malicious

Label(s):

lummastealer

Vidar

92c6d578ed0d94deb77b93120f8fdba93eaf6e3265b563dbc4705519a6652587

Vidar

b54ee709bc4da31ddaf192d2441806014cb528a9239e7864ba965999b2b50987

Vidar

f6cb113054b196bd5250b9be6e197d7cec0a69c4f1bb0ed7914fcc2f576bcdc1

Vidar

f74fde9b0c775423a9b63813c0bb116213f2bc7b98d6bb1f813e0ba387a3c50e

Vidar

fb329c4f4383bacf3ee019290ca6be725aff66c4f56af16469c9d44f2716b341

Vidar

+ 165 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery stealer

Link:

https://tria.ge/reports/260321-3fjp5acw91/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://shitrba.click
https://egyptnf.click/xxx
https://familbg.club/help
https://genusne.click/caccc
https://mobbyyt.club/info
https://lumpeem.quest/main
https://thundut.biz/create
https://workltt.quest/owner
https://watchhr.biz/manifest

Unpacked files

SH256 hash:

d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267

MD5 hash:

1c2f04ab85e3e76e1d43a5039d8610db

SHA1 hash:

b5f0df21d6780412f9e8bc23036445085f2a0254

Link:

https://www.unpac.me/results/22282a98-1887-4a52-99db-38f3c7f16c8d/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d31f50a42ef9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d31f50a42ef9a7629522f1a49c4ce12210d4f193b38cb122867c1038f69dc267

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.