MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3d79adeb8632b2251a4af1cc344c879a5671efa2e22bc2e25eb82615ff56f10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 3


Intelligence 3 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3d79adeb8632b2251a4af1cc344c879a5671efa2e22bc2e25eb82615ff56f10
SHA3-384 hash: 02599679efdb4498659dd63bb42eb7a07ed88727432c15089d42333d4d1ece2c718143b1c411b0c94e5a4617bd8aeb41
SHA1 hash: 2f0ae096b97ce311eb31829d6927072760fad876
MD5 hash: 41630eca4e70628210c64d2015bb5be9
humanhash: ohio-kentucky-red-wisconsin
File name:amd_ags_x64.dll
Download: download sample
Signature Vidar
Create hunting rule
File size:107'520 bytes
First seen:2025-11-22 14:11:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c1a10a1396dbcbaebcbf840a6c50361 (1 x Vidar, 1 x Arechclient2)
ssdeep 3072:SgGChyNQF5B4HLifpMJgTJRMpGGUyZq5VDf0XYfre:SgxyNNrudTUNUCq5VDfbr
TLSH T1D0B36B47B7A400BBE0B793388AA39A16D77278521731ABDF465441AA1F377D14E3CB32
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:dll groveri-eu HIjackLoader IDATLoader vidar


Avatar
iamaachum
https://redic.dreambalm.com/kms/ => https://download.expressqoute.com/Installer_wtb_X64_x86_2025.zip

Vidar Campaign ID: ead1cf
Vidar Build ID: 7d8d7a1960b59e0eb01f2f69ebc5fa58
Vidar C2: 95.216.180.226

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
amd_ags_x64.dll
Verdict:
No threats detected
Analysis date:
2025-11-22 14:13:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9a8402bb-65fc-481c-806b-e092e660182f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39023/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6921c5658cf6736ec0b093c8
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e3d79adeb8632b2251a4af1cc344c879a5671efa2e22bc2e25eb82615ff56f10
Verdict:
Clean
File Type:
dll x64
First seen:
2025-11-22T02:48:00Z UTC
Last seen:
2025-11-23T13:54:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e3d79adeb8632b2251a4af1cc344c879a5671efa2e22bc2e25eb82615ff56f10/results?tab=lookup
Malware family:
AMD Technologies Inc.
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/eb0777c8-5963-4a1f-8b3f-057802bb57b4
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
3 / 100
Link:
https://www.joesandbox.com/analysis/1819073
Behaviour
Behavior Graph:
n/a
Score:
3%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e3d79adeb8632b2251a4af1cc344c879a5671efa2e22bc2e25eb82615ff56f10
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/41630eca4e70628210c64d2015bb5be9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3d79adeb8632b2251a4af1cc344c879a5671efa2e22bc2e25eb82615ff56f10/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/e3d79adeb8632b2251a4af1cc344c879a5671efa2e22bc2e25eb82615ff56f10
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4plzvxvymmvseunev4omgrgipgswohx2fyrlylrf5obgcx7vn4ia._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251122-rh4yasak31/
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/df9c47da-57f7-4a40-98d6-52c196b5068e
Unpacked files
SH256 hash:
e3d79adeb8632b2251a4af1cc344c879a5671efa2e22bc2e25eb82615ff56f10
MD5 hash:
41630eca4e70628210c64d2015bb5be9
SHA1 hash:
2f0ae096b97ce311eb31829d6927072760fad876
Link:
https://www.unpac.me/results/a1544b66-7c8d-41c9-82ca-047971276f02/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Lazarus_Loader_Dec_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect loader used by Lazarus group in december 2020
Reference:Internal Research
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

zip 0a71e42be2321894bd77b44a816ce8213833b2cb0e39a9d651ffe7d5a301919e

Vidar

Executable exe e3d79adeb8632b2251a4af1cc344c879a5671efa2e22bc2e25eb82615ff56f10

(this sample)

  
Link
https://tria.ge/251122-qk9qwsxnct/behavioral2
  
Dropped by
SHA256 0a71e42be2321894bd77b44a816ce8213833b2cb0e39a9d651ffe7d5a301919e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/39023/
  
Dropped by
MD5 168a36d931b21cff7f959f40f166efb7

Comments