MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 8


Intelligence 8 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f
SHA3-384 hash: d8f50697cb8313f6460a5e7cadfcf630bf40987ca39aecc0c74c85bf4ccecd4e2275ae890e0ecfe0b294b21be96b628d
SHA1 hash: 10240830ab2c07746b8af9bcf3592b76f021e8fd
MD5 hash: b970f8ea65c2ce8b4dbedc766e94024f
humanhash: cup-eighteen-mockingbird-carpet
File name:oStarteZ.zip
Download: download sample
Signature Vidar
Create hunting rule
File size:2'744'760 bytes
First seen:2025-10-27 19:16:15 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:HziHgBkQ3g1NVwc5s+RG+5ovs63zg/oS9qi5wG4lN7agiNI+m9QYZKU9:HzAgBkB/Vwci+I5vs2tSMiaXQ6bE8
TLSH T15DC52FA09533C661EFAF60AC503A53D583814E72C5F8ACF8F3B5760DD3297D6582AAD0
Magika zip
Reporter burger
Tags:file-pumped vidar zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
NL NL
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:oStarteZ.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:924'548'608 bytes
SHA256 hash: e5fa5629d8fa539e8b2358732948995264eea6d3e8145e6c045fe8c882b3a8e2
MD5 hash: 3e0938837d0c038dd69289efcf1a66da
De-pumped file size:2'805'248 bytes (Vs. original size of 924'548'608 bytes)
De-pumped SHA256 hash: 2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041
De-pumped MD5 hash: bb3d76f75c234302cf4beb5eefaa300e
MIME type:application/x-dosexec
Signature Vidar
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ffc5605de5ca270752f8f1
Tags:
emotet cobalt
Result
Verdict:
Malicious
File Type:
ZIP File - Malicious
Link:
https://app.docguard.net/f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f/results/dashboard
Behaviour
SuspiciousEmbeddedObjects detected
Gathering data
Verdict:
Suspicious
Labled as:
HEUR/Pumpar.Generic
Link:
https://www.hybrid-analysis.com/sample/f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f
Verdict:
Unknown
File Type:
zip
Link:
https://opentip.kaspersky.com/f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f
Verdict:
Malware
YARA:
3 match(es)
Tags:
CVE-2019-13232 CVE-2019-9674 CVE-2022-29225 CVE-2022-36114 CVE-2023-46104 CVE-2024-0450 Executable Malicious PE (Portable Executable) PE File Layout Zip Archive Zip Bomb
Link:
https://app.malva.re/file/b970f8ea65c2ce8b4dbedc766e94024f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f/
Threat name:
Binary.Trojan.Hulk
Create hunting rule
Status:
Malicious
First seen:
2025-10-27 19:31:18 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6udcyzoz7sftvs3g3kkw2ywacgn5t54lsau3fjjlylmexza3zbxq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Any_SU_Domain
Create hunting rule
Author:you
Description:Detect any reference to .su domains or subdomains
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Golang_Binary
Create hunting rule
Author:Andrew Morrow
Description:Detects binaries compiled with Go
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PK_PUMP_AND_DUMP
Create hunting rule
Author:Will Metcalf @node5
Description:Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:weird_zip_high_compression_ratio
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit
Reference:https://twitter.com/Cryptolaemus1/status/1633099154623803394

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Vidar

zip f5062c65d9fc8b3acb66da956d62c0119bd9f78b9029b2a52bc2d84be41bc86f

(this sample)

Vidar

Executable exe 2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041

  
Dropping
SHA256 2f2ff80d2fc6ddb9dfcd73725e3fc39d27325cfdacda43ffcdaf2f325e690041
  
Dropping
MD5 bb3d76f75c234302cf4beb5eefaa300e

Comments