MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 12


Intelligence 12 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4
SHA3-384 hash: a66f772398fba0e700481103dffedca5d25fd7cf93ba2517b4a0407540d23a3a3a5a4a1c55f402cba3ad8adf6a723080
SHA1 hash: 254f5b36de365fd7df1f60591be3cd181bd4fbe1
MD5 hash: 920bf08e1eedbbda60ad3050c5885ae8
humanhash: princess-fix-victor-uncle
File name:msedge_elf.dll
Download: download sample
Signature Vidar
Create hunting rule
File size:9'077'256 bytes
First seen:2025-12-12 17:19:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0951d9f67c9a9e1b6ea746ed01bccc26 (22 x Vidar, 18 x Rhadamanthys, 1 x AmateraStealer)
ssdeep 49152:83hHKeK+CK5EWC1n+fZz1Ntmo0C2CdClNVO+/5dDgnIpFFy726NEJX9Yqh7gdq/J:8pKmHMDg+FFy726NOCd3lgB69c
Threatray 146 similar samples on MalwareBazaar
TLSH T18D967D939DA04A6DD5AFF239ACB1A24173307C44433225E36A9637654D7BBC8133BB1E
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter burger
Tags:exe signed vidar

Code Signing Certificate

Organisation:*.dodo.com
Issuer:GlobalSign RSA OV SSL CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-02T02:56:44Z
Valid to:2026-11-03T02:56:43Z
Serial number: 60f33e3bfc90bb4181ee461e
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7d500d7e9468871bed19b095a3e75f3657a0a4ce71f4740d0a5ef2582920abf9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
vidar
Create hunting rule
ID:
1
File name:
msedge_elf.dll
Verdict:
Malicious activity
Analysis date:
2025-12-12 17:18:33 UTC
Tags:
stealer stealc vidar xor-url generic golang
Link:
https://app.any.run/tasks/faa3af5e-a339-45e2-8e44-3f2c1a96e8e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44463/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693c4e80bde6a3e59710c270
Tags:
injection obfusc crypt
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm crypto golang masquerade mingw overlay packed signed
Link:
https://www.filescan.io/uploads/693c4e9664bd958a5210bd30/reports/25ac371f-c004-4d37-b7fa-1c7d928ad369/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4
Verdict:
Malicious
File Type:
dll x64
First seen:
2025-12-12T11:14:00Z UTC
Last seen:
2025-12-14T08:06:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Agent.smfdmn Trojan.Win64.Agent.sb UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/29190739-61b6-409f-83d5-f17bdb19c436
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1831749
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1831749 Sample: msedge_elf.dll.exe Startdate: 12/12/2025 Architecture: WINDOWS Score: 100 71 ntp.msn.com-ion.edgesuite.net 2->71 73 ntp.msn.com 2->73 75 8 other IPs or domains 2->75 103 Suricata IDS alerts for network traffic 2->103 105 Multi AV Scanner detection for submitted file 2->105 107 Yara detected Vidar stealer 2->107 109 2 other signatures 2->109 10 loaddll64.exe 1 2->10         started        12 msedge.exe 2->12         started        16 msedge.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 20 cmd.exe 1 10->20         started        22 rundll32.exe 10->22         started        25 rundll32.exe 10->25         started        34 5 other processes 10->34 101 239.255.255.250 unknown Reserved 12->101 127 Maps a DLL or memory area into another process 12->127 27 msedge.exe 12->27         started        30 msedge.exe 12->30         started        36 3 other processes 12->36 32 msedge.exe 16->32         started        38 2 other processes 18->38 signatures6 process7 dnsIp8 40 rundll32.exe 21 20->40         started        111 Found API chain indicative of debugger detection 22->111 113 Contains functionality to inject threads in other processes 22->113 115 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 22->115 89 208.104.10.26, 443, 57420 ROCK-HILL-TELEPHONEUS United States 27->89 91 a1666.dscr.akamai.net 208.104.10.34, 443, 49795, 49796 ROCK-HILL-TELEPHONEUS United States 27->91 99 36 other IPs or domains 27->99 93 64.233.176.132, 443, 49847 GOOGLEUS United States 32->93 95 fg.microsoft.map.fastly.net 32->95 97 clients2.googleusercontent.com 32->97 signatures9 process10 dnsIp11 77 193.233.126.16, 443, 49717, 49721 FREE-MPEIRU Russian Federation 40->77 117 System process connects to network (likely due to code injection or exploit) 40->117 119 Tries to harvest and steal browser information (history, passwords, etc) 40->119 121 Sets debug register (to hijack the execution of another thread) 40->121 123 5 other signatures 40->123 44 msedge.exe 40->44         started        47 msedge.exe 40->47         started        49 chrome.exe 1 40->49         started        52 12 other processes 40->52 signatures12 process13 dnsIp14 125 Monitors registry run keys for changes 44->125 54 msedge.exe 44->54         started        56 msedge.exe 47->56         started        69 192.168.2.4, 138, 443, 49666 unknown unknown 49->69 58 chrome.exe 49->58         started        61 chrome.exe 52->61         started        63 WerFault.exe 52->63         started        65 WerFault.exe 52->65         started        67 WerFault.exe 52->67         started        signatures15 process16 dnsIp17 79 play.google.com 142.250.69.78, 443, 49754, 49755 GOOGLEUS United States 58->79 81 www.google.com 64.233.185.105, 443, 49738, 49739 GOOGLEUS United States 58->81 87 3 other IPs or domains 58->87 83 142.250.9.99, 443, 49763, 49764 GOOGLEUS United States 61->83 85 ogads-pa.clients6.google.com 61->85
Score:
22%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/920bf08e1eedbbda60ad3050c5885ae8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4
Threat name:
Win64.Trojan.Tedy
Create hunting rule
Status:
Suspicious
First seen:
2025-12-12 16:42:58 UTC
File Type:
PE+ (Dll)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4pmmss55emoytwoa7trh6joqyxe3tfzc6ijqlthj6d7pzbc6qcsa._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
040e32fc4b4499f35ef009e950cadc4fd497fbbe8d33816f4fbac499a264ba2b
Vidar
312b2ec093ef1f61d8b3db70784aa5a946ac7a772a15d1482f5e32f65e607eaf
Vidar
339150f9b730ddb3a0d17e291d4440e765a17994a3a31ac34c2714dcb7502453
Vidar
38f6caace533cab416dd9f57a83adf0c54809e30acca95364f59894d02a5f1aa
Vidar
a84c53037ecf5ba9db3d05ed58d835a960973dfba8946c94e9bfa6838ee12a4b
Vidar
dd7982ab2a59c5ce1154be78f68fd6e237734ee6883b949c106ea616c33e6fa3
Vidar
e10090e03657c2d064580eae8400466267491fffa0d78536452c1e0919616487
Vidar
e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4
Vidar
error
Vidar
+ 136 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:d2b511151cd8e7fa109013971ae46cfa campaign:cego54 discovery spyware stealer
Link:
https://tria.ge/reports/251212-vv261sfz5a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Drops file in Windows directory
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Detects Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://telegram.me/cego54
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6539aa8a-c83a-462a-ae8a-3edfaca95fd6
Unpacked files
SH256 hash:
e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4
MD5 hash:
920bf08e1eedbbda60ad3050c5885ae8
SHA1 hash:
254f5b36de365fd7df1f60591be3cd181bd4fbe1
Link:
https://www.unpac.me/results/2970ae65-ab5f-46ce-80e2-5b02c997daaa/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3d8c94bbd23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.29
Link:
https://yomi.yoroi.company/submissions/e3d8c94bbd231d89d9c0fce27f25d0c5c9b99722f21305cce9f0fefc845e80a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44463/

Comments