MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348
SHA3-384 hash: 14d91897015577bf3d9accbc4f8565e9fcb9de8912cd152ba682b012af69515da75ea02a1ecd3a1492a24eceb1ad7de1
SHA1 hash: 3f3616a608db4ecb16b4be0ebeefd0b1d1306089
MD5 hash: 2ca2c0ed0981b5779bc8e25103620275
humanhash: apart-high-johnny-london
File name:hm6K92m.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:1'273'856 bytes
First seen:2025-10-10 13:12:35 UTC
Last seen:2025-10-11 04:07:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:xzPrTwElP1mgbHJAxo+9aFI74NOs1q8itbfreCQuUBhuBOVKFwO:JPrTNNmgDMo+ICMh1/ir0LBhTt
Threatray 140 similar samples on MalwareBazaar
TLSH T13045234796D8D93BEE68373054F852830A36B8E0877687EF1644B2D85EA11D09C76B3F
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
5
# of downloads :
146
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
_dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348.exe
Verdict:
Malicious activity
Analysis date:
2025-10-10 13:34:25 UTC
Tags:
autoit lumma stealer stealc vidar attachments attc-unc
Link:
https://app.any.run/tasks/e6567754-93f2-4d17-a678-d8ab1d286400

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32295/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e90681f2ca2f143e4104e1
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Moving a file to the %temp% subdirectory
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm CAB installer lolbin microsoft_visual_cc packed rundll32 runonce
Link:
https://www.filescan.io/uploads/68e9067f4f3013c55e4989e3/reports/ab7c15cd-4ae2-4f9f-8981-678874f50882/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-10T09:48:00Z UTC
Last seen:
2025-10-11T07:38:00Z UTC
Hits:
~100
Detections:
VHO:Backdoor.Win32.Agent.gen Backdoor.Win32.Agent.mywxul Backdoor.Agent.UDP.C&C HEUR:Trojan.Script.AUO.gen
Link:
https://opentip.kaspersky.com/dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5ce91a57-d2c2-40ec-8127-13d5f731ee24
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1792947
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking volume information)
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1792947 Sample: hm6K92m.exe Startdate: 10/10/2025 Architecture: WINDOWS Score: 100 71 s.pa.andersonscrochet.com 2->71 73 telegram.me 2->73 75 PDjLqTxlhjvxWJg.PDjLqTxlhjvxWJg 2->75 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 4 other signatures 2->93 11 hm6K92m.exe 1 8 2->11         started        13 rundll32.exe 2->13         started        signatures3 process4 process5 15 cmd.exe 4 11->15         started        19 attrib.exe 1 11->19         started        file6 57 C:\Users\user\AppData\Local\Temp\...\Core.scr, PE32+ 15->57 dropped 83 Detected CypherIt Packer 15->83 85 Drops PE files with a suspicious file extension 15->85 21 Core.scr 15->21         started        24 extrac32.exe 22 15->24         started        27 conhost.exe 15->27         started        33 4 other processes 15->33 29 MpCmdRun.exe 1 19->29         started        31 conhost.exe 19->31         started        signatures7 process8 file9 103 Hijacks the control flow in another process 21->103 105 Found evasive API chain (may stop execution after checking volume information) 21->105 107 Found API chain indicative of debugger detection 21->107 109 6 other signatures 21->109 35 Core.scr 16 21->35         started        55 C:\Users\user\AppData\Local\Temp\...\Royalty, DOS 24->55 dropped 39 conhost.exe 29->39         started        signatures10 process11 dnsIp12 77 s.pa.andersonscrochet.com 49.13.37.112, 443, 49691, 49692 HETZNER-ASDE Germany 35->77 79 telegram.me 149.154.167.99, 443, 49690 TELEGRAMRU United Kingdom 35->79 95 Tries to harvest and steal browser information (history, passwords, etc) 35->95 97 Writes to foreign memory regions 35->97 99 Allocates memory in foreign processes 35->99 101 3 other signatures 35->101 41 chrome.exe 1 35->41         started        44 chrome.exe 35->44         started        46 chrome.exe 35->46         started        signatures13 process14 dnsIp15 81 192.168.2.6, 138, 443, 49531 unknown unknown 41->81 48 chrome.exe 41->48         started        51 chrome.exe 44->51         started        53 chrome.exe 46->53         started        process16 dnsIp17 59 172.217.2.196, 443, 49711, 49712 GOOGLEUS United States 48->59 61 www.google.com 48->61 63 142.250.64.228, 443, 49721, 49722 GOOGLEUS United States 51->63 65 www.google.com 51->65 67 192.178.218.105, 443, 49729, 49730 GOOGLEUS United States 53->67 69 www.google.com 53->69
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX CAB:COMPRESSION:MSZIP Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/2ca2c0ed0981b5779bc8e25103620275
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-10-10 12:34:27 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
19 of 37 (51.35%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qv3wuwbkaayq4acxen7x4omjo2j2cu2vfsaufldewmssymaenea._file
Verdict:
malicious
Label(s):
lu0bot
Create hunting rule
Similar samples:
031ef892a7d21abea7b2885e4782119e4cce8da0f94f4b57616db82bee9c48a7
Vidar
1fedf5bffa0e08619643f6c90c358f3647cca8cb1fb7ecd86245b46b04918cdb
Vidar
44912e99d5e1e8047a846448083f09caa07a69962a460a16c1ecac9a7babf9a6
Vidar
49e86f8f81cc8dad354e988d8d8baf2f79d45d7f7c542785ce37409df92bee6c
Vidar
5bdd8544f2bedaca51866f001fd654e1ee23f5bd2861ddd629e56ff221d0baa5
Vidar
846aee828e4b5e52ca66aceabb50b4ea9a07b2b80e2440f6deebf66e20289a12
Vidar
b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872
Vidar
e01108a2c1db9807c3a7ca8fc19d3a900857c401995d8a00255556a8c895bf37
Vidar
error
Vidar
f1865f5bcb465ab20ce262b8313b50dcba98c503a406d2c88b7af6494a044b3e
Vidar
+ 130 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar defense_evasion discovery persistence stealer
Link:
https://tria.ge/reports/251010-qgclzscn6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Detects Vidar Stealer
Vidar
Vidar family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/302abc83-5648-4365-afad-cdb627263c73
Unpacked files
SH256 hash:
dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348
MD5 hash:
2ca2c0ed0981b5779bc8e25103620275
SHA1 hash:
3f3616a608db4ecb16b4be0ebeefd0b1d1306089
Link:
https://www.unpac.me/results/5af0e6d4-56ac-48fd-af04-20ed8f92b660/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc2bbb52c150/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe dc2bbb52c15001887002b91bfbf1cc4bb49d0a9aa9640a156325992961802348

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3667159/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32295/

Comments