MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077
SHA3-384 hash: d9851268cb54561880458d6d460cde8a102ae13b722013bc9afaba056afe02e936173195e17d3b9d708d934dca42e7c5
SHA1 hash: d6d725ec44a818841f84069123785291c4b7ccd1
MD5 hash: 9048722b3619d93180d5b39e7fade577
humanhash: neptune-equal-minnesota-mississippi
File name:VisualCode.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:1'160'704 bytes
First seen:2025-04-27 23:43:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 130d5621ef2323889c6e1ed2746329fe (22 x LummaStealer, 4 x Vidar, 2 x LockBit)
ssdeep 12288:4DWOW9ap2T07ZoCb5OlkmH5P2GMSr7CyzKQqPKqbCqu6Bhyia1k0lh3Il8fRkZEL:H8pYtCK2GWdKE00oRk+tpnCJ
Threatray 17 similar samples on MalwareBazaar
TLSH T19635CF18AC7990D9FCE301F17B699221B4337D3BCE382A6B90E8F7111546DDD193A26B
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter skocherhan
Tags:exe vidar


Avatar
skocherhan
http://94.26.90.80/VisualCode.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
471
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2025-04-27_579fcb73ae9a6e7fcce192fd33b83504_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer
Verdict:
Malicious activity
Analysis date:
2025-04-27 21:15:21 UTC
Tags:
auto-sch loader amadey botnet stealer rdp auto-reg lumma credentialflusher telegram themida putty rmm-tool phishing
Link:
https://app.any.run/tasks/11ac1d61-4fe3-4b26-8162-ebd8b1503278

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4497/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680ec25bc8b2e86d0ac373a5
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/680ec14dc502e7176af96d13/reports/56f8e2a2-5078-406e-8fbb-04fa0294ed05/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/176febd1-1776-4549-bd99-2dd68b2a3928
Result
Threat name:
AsyncRAT, LummaC Stealer, Njrat, Quasar,
Create hunting rule
Detection:
malicious
Classification:
spre.phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1675723
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Creates multiple autostart registry keys
Disables the Windows task manager (taskmgr)
Disables zone checking for all users
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected LummaC Stealer
Yara detected Njrat
Yara detected Quasar RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675723 Sample: VisualCode.exe Startdate: 28/04/2025 Architecture: WINDOWS Score: 100 97 itsrevolutionmagnus.xyz 2->97 99 parakehjet.run 2->99 101 10 other IPs or domains 2->101 155 Suricata IDS alerts for network traffic 2->155 157 Found malware configuration 2->157 159 Malicious sample detected (through community Yara rule) 2->159 163 21 other signatures 2->163 10 VisualCode.exe 2->10         started        13 msedge.exe 106 639 2->13         started        16 Client.exe 2->16         started        signatures3 161 Performs DNS queries to domains with low reputation 97->161 process4 dnsIp5 177 Writes to foreign memory regions 10->177 179 Allocates memory in foreign processes 10->179 181 Injects a PE file into a foreign processes 10->181 18 MSBuild.exe 43 10->18         started        23 MSBuild.exe 10->23         started        129 192.168.2.16 unknown unknown 13->129 131 239.255.255.250 unknown Reserved 13->131 25 msedge.exe 13->25         started        27 msedge.exe 13->27         started        29 msedge.exe 13->29         started        signatures6 process7 dnsIp8 103 94.26.90.81, 49826, 80 ASDETUKhttpwwwheficedcomGB Bulgaria 18->103 105 t.me 149.154.167.99, 443, 49681 TELEGRAMRU United Kingdom 18->105 111 3 other IPs or domains 18->111 61 C:\Users\user\AppData\Local\...\Server[1].exe, PE32 18->61 dropped 63 C:\Users\user\AppData\Local\...\srv1[1].exe, PE32 18->63 dropped 65 C:\Users\user\AppData\...\LiseJackes[1].exe, PE32+ 18->65 dropped 67 11 other malicious files 18->67 dropped 165 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->165 167 Found many strings related to Crypto-Wallets (likely being stolen) 18->167 169 Tries to harvest and steal ftp login credentials 18->169 175 3 other signatures 18->175 31 ppp8q1ny58.exe 18->31         started        35 47q16x47gl.exe 18->35         started        37 2dba1dbsrq.exe 18->37         started        39 5 other processes 18->39 171 Attempt to bypass Chrome Application-Bound Encryption 23->171 173 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->173 107 sb.scorecardresearch.com 18.164.174.119, 443, 49754 MIT-GATEWAYSUS United States 25->107 109 18.164.174.120, 443, 49782 MIT-GATEWAYSUS United States 25->109 113 31 other IPs or domains 25->113 file9 signatures10 process11 dnsIp12 87 C:\Users\user\AppData\Local\Temp\server.exe, PE32 31->87 dropped 133 Antivirus detection for dropped file 31->133 42 server.exe 31->42         started        89 C:\Users\user\AppData\...89vidiaDriver.exe, PE32 35->89 dropped 135 Multi AV Scanner detection for dropped file 35->135 137 Query firmware table information (likely to detect VMs) 35->137 139 Creates multiple autostart registry keys 35->139 46 NvidiaDriver.exe 35->46         started        91 C:\Users\user\...\dZuokFdbWK363K9k.exe, PE32 37->91 dropped 141 Hides threads from debuggers 37->141 143 Tries to detect sandboxes / dynamic malware analysis system (registry check) 37->143 145 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 37->145 48 dZuokFdbWK363K9k.exe 37->48         started        127 192.168.2.7, 443, 49672, 49681 unknown unknown 39->127 93 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 39->93 dropped 95 C:\Users\user\AppData\Local\...\Dllhost.exe, PE32 39->95 dropped 147 Monitors registry run keys for changes 39->147 149 Uses schtasks.exe or at.exe to add and modify task schedules 39->149 151 Writes to foreign memory regions 39->151 153 3 other signatures 39->153 50 MSBuild.exe 39->50         started        53 Dllhost.exe 39->53         started        55 Client.exe 39->55         started        57 3 other processes 39->57 file13 signatures14 process15 dnsIp16 69 C:\system.exe, PE32 42->69 dropped 71 C:\Windows\SysWOW64xplower.exe, PE32 42->71 dropped 73 C:\Users\user\Favoritesxplower.exe, PE32 42->73 dropped 83 13 other malicious files 42->83 dropped 183 Drops PE files to the document folder of the user 42->183 185 Creates autorun.inf (USB autostart) 42->185 203 2 other signatures 42->203 85 2 other malicious files 46->85 dropped 187 Multi AV Scanner detection for dropped file 46->187 189 Query firmware table information (likely to detect VMs) 46->189 191 Tries to detect sandboxes and other dynamic analysis tools (window names) 46->191 193 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 46->193 75 C:\Users\user\...\IY9iFMj8d6O9URLx.exe, PE32 48->75 dropped 77 C:\Users\user\...\8ihDswYuI4GmYSqm.exe, PE32+ 48->77 dropped 79 C:\Users\user\AppData\...\LiseJackes[1].exe, PE32+ 48->79 dropped 195 Creates multiple autostart registry keys 48->195 205 2 other signatures 48->205 115 parakehjet.run 104.21.27.182, 443, 49824 CLOUDFLARENETUS United States 50->115 117 geographys.run 104.21.45.83 CLOUDFLARENETUS United States 50->117 207 4 other signatures 50->207 81 C:\Users\user\AppData\...\Java update.exe, PE32 53->81 dropped 197 System process connects to network (likely due to code injection or exploit) 53->197 199 Disables zone checking for all users 53->199 119 ipwho.is 108.181.47.111 ASN852CA Canada 55->119 201 Hides that the sample has been downloaded from the Internet (zone.identifier) 55->201 121 www.google.com 142.250.189.4, 443, 49702, 49705 GOOGLEUS United States 57->121 123 ogads-pa.clients6.google.com 142.250.72.138, 443, 49714, 49717 GOOGLEUS United States 57->123 125 3 other IPs or domains 57->125 59 conhost.exe 57->59         started        file17 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077/
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-27 23:44:12 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rarqqodufyu7orvufjv3bldq2nw5q74ds4hvh2w2blwk6sumb3q._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
4c377ecfd2691611a47625a00b6f2c5347e8c6c30aaf04def1127d1d089d8103
Vidar
678f39d37a3785a27e913605aa6894485ae938d4b6196fdacbb98a76c9b4f159
Vidar
79f5e3499e834f2d096a2c765548c3285ca9b3c0765c618efbe5d14f110f7db5
Vidar
a7b371eda0aae2bfd49e552d0abf4c70304569b585f11f09908f7abb12834969
Vidar
b00c6b6d53f4fd4bcc9664d11b0f610f1df4b79ddb0d52fc70a5e282d74dff7b
Vidar
c5bfaddfb2cb99e2935940e5783fc49c6baa8db5bdf4f2e32c7df8d044ef9711
Vidar
dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077
Vidar
error
Vidar
fe70369d4b479537bb85b333bdb2d56566d6dfb9320c566b25ac6faa904fc317
Vidar
+ 7 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:njrat family:quasar family:vidar botnet:76088f739befbfe4e604d19ff037a628 botnet:hacked botnet:office04 credential_access defense_evasion discovery persistence privilege_escalation spyware stealer themida trojan
Link:
https://tria.ge/reports/250427-3q8r1atygw/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Themida packer
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Modifies Windows Firewall
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/v00rd
https://steamcommunity.com/profiles/76561199846773220
https://parakehjet.run/kewk
https://geographys.run/eirq
https://woodpeckersd.run/glsk
https://tropiscbs.live/iuwxx
https://buzzarddf.live/ktnt
https://biosphxere.digital/tqoa
94.26.90.81:6666
94.26.90.81:4782
hakim32.ddns.net:2000
94.26.90.81:5552
Verdict:
Suspicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/4e1b3aed-ede9-4aa2-aa5e-9b3db6cf4464
Unpacked files
SH256 hash:
dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077
MD5 hash:
9048722b3619d93180d5b39e7fade577
SHA1 hash:
d6d725ec44a818841f84069123785291c4b7ccd1
Link:
https://www.unpac.me/results/773bd0ec-3dec-4bb1-b97c-d0de7506cc40/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc411841c3a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

537c7745b391547f12a91a380b580afb

Vidar

Executable exe dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077

(this sample)

  
Dropped by
MD5 537c7745b391547f12a91a380b580afb
Cape
Cape
https://www.capesandbox.com/analysis/4497/
  
URLhaus
https://urlhaus.abuse.ch/url/3527463/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments