MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f67f33ef8db4f016fb4d0bc947cbeab905eb2841c0f3cff732e8387c855c95bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f67f33ef8db4f016fb4d0bc947cbeab905eb2841c0f3cff732e8387c855c95bd
SHA3-384 hash: 282833b1e565a4a7d0d78cd77378b4a68e16ea93f7229f85c97f0a5e2f00074f9677a3d98a36ec0bf679b365068a27f5
SHA1 hash: b22d82dd15c38e7b8ea258edd888e3f9504ec196
MD5 hash: 76d17015529e44110f962f2b311cd87f
humanhash: mike-papa-mirror-kansas
File name:LedgeOpiumsy.zip
Download: download sample
Signature Vidar
Create hunting rule
File size:10'678'753 bytes
First seen:2025-04-10 11:43:40 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: pegs
ssdeep 196608:1VaMPbodJV3h2tdVFe+fVUPyCBr0EnKSEhR+weKXVTaV+4Ix9jr7fB:1EMPbo3u9Fe+tUPyCBrvEhR+we+RaM4S
TLSH T1B5B633B6DB83968BC46167FBDC06C41A936B03B05EEE5F1E1258620686F4F89E4C335D
Magika zip
Reporter aachum
Tags:AutoIT file-pumped pw-pegs vidar zip


Avatar
iamaachum
https://www.youtube.com/watch?v=QLRCEOvJa-o => https://www.youtube.com/channel/UCwmnsubfOCTN_xMhg4czo5A/about => https://www.mediafire.com/folder/4fsmxnec5zkpl/ElseHex

Vidar Botnet: 91b301788b6ee04fa9332df1b73e85ef
Vidar C2:
https://t.me/f07nd
https://steamcommunity.com/profiles/76561199843252735
https://qt.ap.4t.com/

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
ES ES
File Archive Information

This file archive contains 29 file(s), sorted by their relevance:

File name:hs_err_pid932.log
File size:60'571 bytes
SHA256 hash: 33ef7caac7164f8b8eb6d4b30eb344ab584b7098b8be9dc8c3b999791190bfae
MD5 hash: ce89d0373938a8b96cc46ebc049d2c94
MIME type:text/plain
Signature Vidar
File name:updater.log
File size:572'536 bytes
SHA256 hash: 2074e79f694c586a1f6755249b0fe21bc26cd80f5b78303ea2b056db39c703fc
MD5 hash: 4c17c1fcd78a715ff50b30a3be54776d
MIME type:text/plain
Signature Vidar
File name:hs_err_pid14620.log
File size:61'636 bytes
SHA256 hash: 9b378648fe0b854a8de294ff54d6e203f6aac9ddcc3933c2d878cc82bf1d927d
MD5 hash: ee5de4aaeb4a7ccd28e3460fc97f9e21
MIME type:text/plain
Signature Vidar
File name:exempt_local.policy
File size:566 bytes
SHA256 hash: 8c3d7648abcd95a272ce12db870082937f4d7f6878d730d83cb7fbb31eb8b2c9
MD5 hash: 4cbb03f484c86cbea1a217baae07d3c9
MIME type:text/plain
Signature Vidar
File name:default_US_export.policy
File size:146 bytes
SHA256 hash: 758b930a526fc670ab7537f8c26321527050a31f5f42149a2dda623c56a0a1a9
MD5 hash: 1a08ffdf0bc871296c8d698fb22f542a
MIME type:text/plain
Signature Vidar
File name:Qt5Network.dll
File size:1'341'040 bytes
SHA256 hash: c4ab7e26a33504d8268b13d8d895b0b0225560a6ff12486cddef9980671c34df
MD5 hash: ede0cf8a13a02754b1549d85d03a82c5
MIME type:application/x-dosexec
Signature Vidar
File name:java.policy
File size:2'180 bytes
SHA256 hash: f2a00a1dec3b7a097f0815f338a84717ba1017d5d7aae96d842d2188d67c3250
MD5 hash: fbf2b55342947695aa2a15e3485ed29f
MIME type:text/plain
Signature Vidar
File name:logging.properties
File size:2'732 bytes
SHA256 hash: b62d2733ab99556b108a1951d894c5a8d76b1ac7a00c02c388f9eb9be046c56f
MD5 hash: 0f00ec3e7a7767a4efeae1875fb5f3d4
MIME type:text/plain
Signature Vidar
File name:hs_err_pid8760.log
File size:60'366 bytes
SHA256 hash: 8c2b8d44fe14ff3101c24c2e588a3934d93fc610a63ec0c7e970a8de8ec18401
MD5 hash: 1592a676df04971b8127c40057e79a9c
MIME type:text/plain
Signature Vidar
File name:Qt5Gui.dll
File size:7'008'880 bytes
SHA256 hash: aa27149c2328007ee9276ae31b69fd07ca0f264e5dbb023076889dbf963d6098
MD5 hash: f2881a38a57c53bcecf6bad5e029d6fb
MIME type:application/x-dosexec
Signature Vidar
File name:net.properties
File size:6'671 bytes
SHA256 hash: 5bc726671936e0af4fdf6bed67d9e3a20a92c30b0ba23673d0314baa5e3ffb08
MD5 hash: 385443b7e4a37bc277c018cd1d336d49
MIME type:text/plain
Signature Vidar
File name:qtwebengine_resources_200p.pak
File size:781'396 bytes
SHA256 hash: deebba302acebfa268b317a57f56ba631325edbf053ff32a8d7832347d1ed44d
MD5 hash: 083950e31e62fd878a63f30d52c8602b
MIME type:application/octet-stream
Signature Vidar
File name:libEGL.dll
File size:67'128 bytes
SHA256 hash: fbdf9675b1ff7e32c8026bfaab2534b9b0302ae3773df24aefa2290915469f2f
MD5 hash: fe276543cc6ae9c25f58d95d839293f5
MIME type:application/x-dosexec
Signature Vidar
File name:updater.log.old
File size:1'056'740 bytes
SHA256 hash: c34ccf408838fd0fd77bf054b0292b87f1a76bea91be8b83102c654a8288d844
MD5 hash: 9deb412634bcb8254473bdf86f3d3bc4
MIME type:text/plain
Signature Vidar
File name:README.txt
File size:2'390 bytes
SHA256 hash: 6da0747334b0fea7592fd92614b2bbc8b126535e129b1fee483774d914e98eb5
MD5 hash: 3d47d94bc4f19d18bcc8b23f51d013af
MIME type:text/plain
Signature Vidar
File name:qtwebengine_resources.pak
File size:2'284'161 bytes
SHA256 hash: 5f96bb8b73792ccab961dc06b1190ff2d7aa65e24bbccd806fffca24140cbe9c
MD5 hash: 14f2f9bd381fb1e1e903304af053137d
MIME type:application/octet-stream
Signature Vidar
File name:management.properties
File size:14'410 bytes
SHA256 hash: f80096ec028dcb71625c398ec16d12023cafc6a1c055aceaed07d02e8d56f637
MD5 hash: 055470250aefd21bb36a38aa74c9d9be
MIME type:text/plain
Signature Vidar
File name:libeay32.dll
File size:2'276'128 bytes
SHA256 hash: 2270871989e6c90df07b3e4630b4c4b6dd0e33e2a23ba3c52a7ff7bc3553304e
MD5 hash: e22b2e3d650c33c9197f985b7516da70
MIME type:application/x-dosexec
Signature Vidar
File name:usercache.json
File size:959 bytes
SHA256 hash: fcb8c4b8c6aaff14e922e7bff9800fa028adb7ccb8c921583b80790d63af7fd5
MD5 hash: 61309d45bfb4df18bba558ffe9982a47
MIME type:application/json
Signature Vidar
File name:WritingsEye.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:157'297'972 bytes
SHA256 hash: a1c94d63fa000665196a327e373038364905ee8d88b1e990f5022ad18f139008
MD5 hash: 205d359ff9a65cfa846c5fdd1af8d87d
De-pumped file size:143'872 bytes (Vs. original size of 157'297'972 bytes)
De-pumped SHA256 hash: e25ea3005b653e51d5d14ebc0165a0f712918a00441acb249c331c9e9eb15af8
De-pumped MD5 hash: 1abb8299e4282de00b6ba04561d8ade9
MIME type:application/x-dosexec
Signature Vidar
File name:hs_err_pid5944.log
File size:61'202 bytes
SHA256 hash: eaf5142816cfd568a6ee1325e44ec2b090567a964281cae4fc624cd8636ccf07
MD5 hash: 4a38ee027b2605bd5641d75b44e422cc
MIME type:text/plain
Signature Vidar
File name:jmxremote.password.template
File size:5'690 bytes
SHA256 hash: 0273b6a6b9e20e6ce54c5aee70164028e0395063b2b7d39060a40b6495543dbf
MD5 hash: ad773cfd53efe03e662f1cf23561f725
MIME type:text/plain
Signature Vidar
File name:jmxremote.access
File size:3'997 bytes
SHA256 hash: 0c25d26ee212ca1e8c33f67c3c460d43fe849c3a1d23dbe341148517602b280c
MD5 hash: 5880f5255cf159b204761cf24be76061
MIME type:text/plain
Signature Vidar
File name:qtwebengine_resources_100p.pak
File size:640'623 bytes
SHA256 hash: 7eb8e53261798f00ee583e623ce3d9be107a1f4cf2fc88d667540d230da04708
MD5 hash: 67f87f033644ec0eb8b7309eb2b1b7ce
MIME type:application/octet-stream
Signature Vidar
File name:libgcc_s_dw2-1.dll
File size:116'238 bytes
SHA256 hash: 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
MD5 hash: 9aec524b616618b0d3d00b27b6f51da1
MIME type:application/x-dosexec
Signature Vidar
File name:java.security
File size:58'324 bytes
SHA256 hash: 38166a975348862d693d95de8d676cf19cecccc45af4a1896c73c45f7bd966ef
MD5 hash: 00cf40959861f61f17b90c6b6002a9a1
MIME type:text/plain
Signature Vidar
File name:default_local.policy
File size:193 bytes
SHA256 hash: 8d8a318e6d90dfd7e26612d2b6385aa704f686ca6134c551f8928418d92b851a
MD5 hash: 2a0f330c51aff13a96af8bd5082c84a8
MIME type:text/plain
Signature Vidar
File name:Qt5Core.dll
File size:6'024'304 bytes
SHA256 hash: 29f02a06beb7cc0126de3bdf24d9e7aebc4f48cd3d28ee3dc450b224d49412be
MD5 hash: b9f265fdf70eb0f6b51b744ca3a99b16
MIME type:application/x-dosexec
Signature Vidar
File name:sound.properties
File size:1'210 bytes
SHA256 hash: 299c2360b6155eb28990ec49cd21753f97e43442fe8fab03e04f3e213df43a66
MD5 hash: 4f95242740bfb7b133b879597947a41e
MIME type:text/plain
Signature Vidar
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d059a8dff6bd9219083ad1
Tags:
n/a
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f67f33ef8db4f016fb4d0bc947cbeab905eb2841c0f3cff732e8387c855c95bd
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f67f33ef8db4f016fb4d0bc947cbeab905eb2841c0f3cff732e8387c855c95bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f67f33ef8db4f016fb4d0bc947cbeab905eb2841c0f3cff732e8387c855c95bd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6z7th34nwtybn62nbpeups7kxec6wkcbydz475zs5a4hzbk4sw6q._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:91b301788b6ee04fa9332df1b73e85ef credential_access discovery execution spyware stealer
Link:
https://tria.ge/reports/250410-q5b1cstls8/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Uses browser remote debugging
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/f07nd
https://steamcommunity.com/profiles/76561199843252735
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

zip f67f33ef8db4f016fb4d0bc947cbeab905eb2841c0f3cff732e8387c855c95bd

(this sample)

Executable exe e25ea3005b653e51d5d14ebc0165a0f712918a00441acb249c331c9e9eb15af8

  
Link
https://tria.ge/250410-nng4yazwax/behavioral1
  
Delivery method
Distributed via web download
  
Dropping
SHA256 e25ea3005b653e51d5d14ebc0165a0f712918a00441acb249c331c9e9eb15af8
  
Dropping
MD5 1abb8299e4282de00b6ba04561d8ade9
  
Dropping
SHA256 9026f82e4dfd6d712a5f0e999f223661c8cbae082938aa1df0fca886466f72d8
  
Dropping
MD5 e20daaa0a60c5f82a3ef270bf2949507

Comments