MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 12

Intelligence 12 IOCs YARA 15 File information Comments

SHA256 hash:	e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a
SHA3-384 hash:	5e8359d7931b0a877b64e60f3882cbdb97180730a87cdbaf34c0d33ecc9a02204a7ac3c831a6d0a96fa7e0afc74f7acb
SHA1 hash:	a5dce5ba533140bee012c63cd8cc315481c79e25
MD5 hash:	45cde213386b43f7a37c2690d6067daf
humanhash:	mike-september-cold-low
File name:	libwinpthread-1.dll
Download:	download sample
Signature	Vidar Create hunting rule
File size:	5'874'176 bytes
First seen:	2026-04-01 11:05:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f245dfc0f9742e967a052e9cf0e0e79f (1 x Vidar)
ssdeep	98304:sERq1vbU/NiFNDKxtUM7WpPQTU7DRoqCAq2tHSg6R+FapwtKJ3lO/P0U92Zx858G:sEs1vgNiFetFy5e1AxoREavJ1O/P0e5Z
TLSH	T17C46AF92B3C04DE5C1159674862F9332C2B2BC614B79C5CF1A66F70A9F3B7918E3AB14
TrID	70.9% (.EXE) InstallShield setup (43053/19/16) 10.7% (.EXE) Win64 Executable (generic) (6522/11/2) 8.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.3% (.EXE) OS/2 Executable (generic) (2029/13) 3.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Alex_sev
Tags:	Aotera dllHijack exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

vidar

ID:

File name:

libwinpthread-1.dll

Verdict:

Malicious activity

Analysis date:

2026-04-01 11:15:00 UTC

Tags:

vidar stealer telegram

Link:

https://app.any.run/tasks/608d822b-3e8a-492c-a452-16e08da3948e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/60044/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.43956794.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ccfbf93a18a6e1ddf04ca4

Tags:

malware

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Labled as:

Trojan_Win32_Wacatac_B_ml

Link:

https://www.hybrid-analysis.com/sample/e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a

Verdict:

Malicious

File Type:

dll x64

First seen:

2026-01-28T17:53:00Z UTC

Last seen:

2026-04-01T11:44:00Z UTC

Hits:

~1000

Detections:

Trojan.Win64.DLLhijack.chj Trojan.Win64.Agent.sba

Link:

https://opentip.kaspersky.com/e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/37f3cdf9-86ab-4ddf-ba5e-2c9c9c8780be

Score:

83%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/45cde213386b43f7a37c2690d6067daf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a/

Verdict:

Malicious

Threat:

Trojan.Win64.DLLhijack

Link:

https://tip.neiki.dev/file/e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a

Threat name:

Win64.Trojan.Aotera

Status:

Malicious

First seen:

2026-01-15 15:21:35 UTC

File Type:

PE+ (Dll)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4judetlz23xt6bbxb65qntrgvcz5w6ruxettdigflava72aakr5a._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:2a47ce4810764ca1230a2ba7197e75c8 stealer

Link:

https://tria.ge/reports/260401-m62evsby8q/

Behaviour

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Detects Vidar Stealer

Vidar

Vidar family

Malware Config

C2 Extraction:

https://t.me/xerkoper
https://telegram.me/v11kng
https://steamcommunity.com/profiles/76561198748625465

Unpacked files

SH256 hash:

e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a

MD5 hash:

45cde213386b43f7a37c2690d6067daf

SHA1 hash:

a5dce5ba533140bee012c63cd8cc315481c79e25

Link:

https://www.unpac.me/results/13b4d033-23be-40bb-b7ab-545cef439bff/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/60044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample