MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e50431d9d07bfbe1a57c75cc446b31c2bdbecd6e20f05281aab2031251290f06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e50431d9d07bfbe1a57c75cc446b31c2bdbecd6e20f05281aab2031251290f06
SHA3-384 hash: 95cef12196f67a6575ddb7c6ff014bb909d9e69be4c132996d0171b8b0ef72be29d83ebebc3f198e14b95d8684e23fb8
SHA1 hash: e75ce1549f3af407692e85f35975d7681fdef911
MD5 hash: 899ccf2aa0f1e911c267ceb7154c1356
humanhash: red-romeo-oklahoma-leopard
File name:SecuriteInfo.com.FileRepMalware.26986.6008
Download: download sample
Signature Vidar
Create hunting rule
File size:1'583'656 bytes
First seen:2025-06-12 19:18:59 UTC
Last seen:2025-06-12 20:30:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 500697a5eb94c2fffe714893c0005bdc (10 x LummaStealer, 2 x Vidar, 1 x SnakeKeylogger)
ssdeep 49152:7RC46UdKYZzpLiymGyRInc93BRCFvrAkCAFpmcexX2FXe11bnCzftoB:7RC46UdKYZzpLiy+93BUsJnw811bmtoB
TLSH T15D7559394280D2C2FD35147680B166D97822B737C62D3BFBE2A0E7679E0B2C65E5635C
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
544
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
sample.exe
Verdict:
Malicious activity
Analysis date:
2025-06-12 18:59:40 UTC
Tags:
amadey loader rdp themida screenconnect rmm-tool netreactor xworm arch-exec evasion rat winring0x64-sys vuln-driver pureminer
Link:
https://app.any.run/tasks/06738d61-dd8b-43bd-af37-54f6c5eec07c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9212/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684b284e8bd5d68a12e846b4
Tags:
injection obfusc crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e50431d9d07bfbe1a57c75cc446b31c2bdbecd6e20f05281aab2031251290f06
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9c87eb00-10a9-42b5-888b-d14422692031
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1713605
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1713605 Sample: SecuriteInfo.com.FileRepMal... Startdate: 12/06/2025 Architecture: WINDOWS Score: 100 92 t.me 2->92 94 c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com 2->94 96 7 other IPs or domains 2->96 110 Suricata IDS alerts for network traffic 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 7 other signatures 2->116 10 SecuriteInfo.com.FileRepMalware.26986.6008.exe 1 2->10         started        signatures3 process4 signatures5 128 Writes to foreign memory regions 10->128 130 Allocates memory in foreign processes 10->130 132 Injects a PE file into a foreign processes 10->132 13 MSBuild.exe 33 10->13         started        17 MSBuild.exe 10->17         started        19 conhost.exe 10->19         started        process6 dnsIp7 106 t.me 149.154.167.99, 443, 49694 TELEGRAMRU United Kingdom 13->106 108 10.aa.uploadraja.com 116.202.5.231, 443, 49695, 49696 HETZNER-ASDE Germany 13->108 134 Encrypted powershell cmdline option found 13->134 136 Tries to harvest and steal browser information (history, passwords, etc) 13->136 21 powershell.exe 22 13->21         started        25 chrome.exe 13->25         started        28 powershell.exe 13->28         started        30 27 other processes 13->30 signatures8 process9 dnsIp10 88 C:\Users\user\AppData\...\k2ufvvas.cmdline, Unicode 21->88 dropped 118 Writes to foreign memory regions 21->118 120 Compiles code for process injection (via .Net compiler) 21->120 122 Creates a thread in another existing process (thread injection) 21->122 32 csc.exe 3 21->32         started        35 conhost.exe 21->35         started        104 192.168.2.5, 138, 443, 49675 unknown unknown 25->104 124 Encrypted powershell cmdline option found 25->124 126 Suspicious execution chain found 25->126 37 chrome.exe 25->37         started        40 chrome.exe 25->40         started        90 C:\Users\user\AppData\Local\...\cf2ot2iy.0.cs, Unicode 28->90 dropped 48 2 other processes 28->48 42 csc.exe 30->42         started        44 csc.exe 30->44         started        46 csc.exe 30->46         started        50 23 other processes 30->50 file11 signatures12 process13 dnsIp14 70 C:\Users\user\AppData\Local\...\k2ufvvas.dll, PE32 32->70 dropped 52 cvtres.exe 1 32->52         started        98 apis.google.com 37->98 100 www.google.com 142.250.176.196, 443, 49705, 49706 GOOGLEUS United States 37->100 102 3 other IPs or domains 37->102 72 C:\Users\user\AppData\Local\...\c4jmob4l.dll, PE32 42->72 dropped 54 cvtres.exe 42->54         started        74 C:\Users\user\AppData\Local\...\2cwsmbpn.dll, PE32 44->74 dropped 56 cvtres.exe 44->56         started        76 C:\Users\user\AppData\Local\...\zaoedj3l.dll, PE32 46->76 dropped 58 cvtres.exe 46->58         started        78 C:\Users\user\AppData\Local\...\cf2ot2iy.dll, PE32 48->78 dropped 60 cvtres.exe 48->60         started        80 C:\Users\user\AppData\Local\...\vj42sdob.dll, PE32 50->80 dropped 82 C:\Users\user\AppData\Local\...\tneuyun2.dll, PE32 50->82 dropped 84 C:\Users\user\AppData\Local\...\t0zajzbt.dll, PE32 50->84 dropped 86 7 other files (none is malicious) 50->86 dropped 62 cvtres.exe 50->62         started        64 cvtres.exe 50->64         started        66 cvtres.exe 50->66         started        68 7 other processes 50->68 file15 process16
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e50431d9d07bfbe1a57c75cc446b31c2bdbecd6e20f05281aab2031251290f06
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e50431d9d07bfbe1a57c75cc446b31c2bdbecd6e20f05281aab2031251290f06/
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-06-12 19:19:34 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ucddwoqpp56djl4oxgei2zryk635tloedyffankwibreujjb4da._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:5828200e1e0f595ba667ca6d813d02c7 credential_access defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250612-x1rzcayjy7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Obfuscated Files or Information: Command Obfuscation
Unsecured Credentials: Credentials In Files
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/gu77xt
https://steamcommunity.com/profiles/76561199863931286
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/81757a5d-4644-4638-8f96-003d65d4cb5c
Unpacked files
SH256 hash:
e50431d9d07bfbe1a57c75cc446b31c2bdbecd6e20f05281aab2031251290f06
MD5 hash:
899ccf2aa0f1e911c267ceb7154c1356
SHA1 hash:
e75ce1549f3af407692e85f35975d7681fdef911
Link:
https://www.unpac.me/results/4219a7b0-7f35-4b79-8adb-21d9cd1039fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e50431d9d07bfbe1a57c75cc446b31c2bdbecd6e20f05281aab2031251290f06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe e50431d9d07bfbe1a57c75cc446b31c2bdbecd6e20f05281aab2031251290f06

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/9212/
  
URLhaus
https://urlhaus.abuse.ch/url/3561491/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments