MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca
SHA3-384 hash: c574ea4695414daa87f6292c2646a3090b85e81959c0eb322759ea6603a82d71ac30e5f0aa9437f0deff9a50913a2561
SHA1 hash: a1b48d519d0f4b2d375d2e0f72c8f6076f63f7f6
MD5 hash: cbc01fb7800453f31807a3c8c53ce422
humanhash: seven-minnesota-georgia-march
File name:v7942.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:368'640 bytes
First seen:2025-04-06 05:42:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8beb5ca1ff83475ee16fa1a921765aab (8 x LummaStealer, 6 x DarkCloud, 1 x Vidar)
ssdeep 6144:oAJvsvm0Pw0soTmUX9ED2sZAZ+Hr8MAC9GVWr2os5Qoh4BdULx83Oy3U4QyKzrL:oAJvsvm4soaUtcLZAZsr8MAOg0Qh+Ke+
Threatray 9 similar samples on MalwareBazaar
TLSH T16D74D005B2A548EAED63427E8B529701F5337C278B34DEEF02E446521F17AD81D3EB62
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
2025-04-06_cbc01fb7800453f31807a3c8c53ce422_black-basta_cobalt-strike_ryuk_satacom
Verdict:
Malicious activity
Analysis date:
2025-04-06 04:15:24 UTC
Tags:
telegram vidar stealer stealc
Link:
https://app.any.run/tasks/f7620bcf-81f7-4267-b110-84edaab2ea7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/854/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f1ffdba695a0cd1fab44ff
Tags:
stealer kryptik virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67f2169840adfb5162b9fbd7/reports/346248f2-e01f-4a51-8f4b-63db14e90bb7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/68013d6f-dbcd-458b-ba26-411d8ec29c50
Result
Threat name:
LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1657607
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates / moves files in alternative data streams (ADS)
Early bird code injection technique detected
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1657607 Sample: v7942.exe Startdate: 06/04/2025 Architecture: WINDOWS Score: 100 130 itsrevolutionmagnus.xyz 2->130 132 puerrogfh.live 2->132 134 5 other IPs or domains 2->134 170 Suricata IDS alerts for network traffic 2->170 172 Found malware configuration 2->172 174 Malicious sample detected (through community Yara rule) 2->174 178 12 other signatures 2->178 13 v7942.exe 2->13         started        16 ByxC1QsEM7QhjUQ2.exe 2->16         started        19 ByxC1QsEM7QhjUQ2.exe 2->19         started        22 ByxC1QsEM7QhjUQ2.exe 2->22         started        signatures3 176 Performs DNS queries to domains with low reputation 130->176 process4 dnsIp5 250 Writes to foreign memory regions 13->250 252 Allocates memory in foreign processes 13->252 254 Injects a PE file into a foreign processes 13->254 24 MSBuild.exe 34 13->24         started        29 MSBuild.exe 13->29         started        94 C:\Users\user\...\wntaco1w67aEH50O.exe, PE32 16->94 dropped 96 C:\Users\user\...\kmilBaLuX3gHaZFZ.exe, PE32 16->96 dropped 98 C:\Users\user\...\Q35hQMr3tiavTtnT.exe, PE32 16->98 dropped 31 Q35hQMr3tiavTtnT.exe 16->31         started        148 192.168.2.5 unknown unknown 19->148 100 C:\Users\user\...\hrgFLq3z6wvHrpue.exe, PE32 19->100 dropped 33 hrgFLq3z6wvHrpue.exe 19->33         started        102 C:\Users\user\...\2y0egpwWI2VWJoTP.exe, PE32 22->102 dropped 35 2y0egpwWI2VWJoTP.exe 22->35         started        file6 signatures7 process8 dnsIp9 150 t.me 149.154.167.99, 443, 49711, 49802 TELEGRAMRU United Kingdom 24->150 152 77.90.153.244, 49771, 49789, 80 RAPIDNET-DEHaunstetterStr19DE Germany 24->152 154 2 other IPs or domains 24->154 120 C:\Users\user\AppData\...\sss81242[1].exe, PE32 24->120 dropped 122 C:\Users\user\AppData\Local\...\s9471[1].exe, PE32+ 24->122 dropped 124 C:\Users\user\AppData\Local\...\l9543[1].exe, PE32+ 24->124 dropped 126 3 other malicious files 24->126 dropped 232 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->232 234 Found many strings related to Crypto-Wallets (likely being stolen) 24->234 236 Tries to harvest and steal ftp login credentials 24->236 248 3 other signatures 24->248 37 4ect2n7y58.exe 24->37         started        40 o8gva1vkf3.exe 24->40         started        43 26pzcbiwb1.exe 24->43         started        47 2 other processes 24->47 238 Attempt to bypass Chrome Application-Bound Encryption 29->238 240 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->240 242 Searches for specific processes (likely to inject) 29->242 244 Antivirus detection for dropped file 33->244 246 Multi AV Scanner detection for dropped file 33->246 45 WerFault.exe 33->45         started        file10 signatures11 process12 dnsIp13 208 Hijacks the control flow in another process 37->208 210 Contains functionality to inject code into remote processes 37->210 212 Modifies the context of a thread in another process (thread injection) 37->212 214 Found evasive API chain (may stop execution after checking locale) 37->214 50 4ect2n7y58.exe 25 37->50         started        116 C:\Users\user\...\ByxC1QsEM7QhjUQ2.exe, PE32 40->116 dropped 118 :cat (copy), PE32 40->118 dropped 216 Antivirus detection for dropped file 40->216 218 Multi AV Scanner detection for dropped file 40->218 220 Creates / moves files in alternative data streams (ADS) 40->220 55 ByxC1QsEM7QhjUQ2.exe 40->55         started        222 Writes to foreign memory regions 43->222 224 Allocates memory in foreign processes 43->224 226 Injects a PE file into a foreign processes 43->226 57 MSBuild.exe 43->57         started        59 MSBuild.exe 43->59         started        156 192.168.2.4, 138, 443, 49155 unknown unknown 47->156 61 chrome.exe 47->61         started        63 conhost.exe 47->63         started        65 timeout.exe 47->65         started        file14 signatures15 process16 dnsIp17 136 77.90.153.241, 49778, 80 RAPIDNET-DEHaunstetterStr19DE Germany 50->136 104 C:\Users\user\AppData\...\yu5stZ1M2fc7.exe, PE32 50->104 dropped 106 C:\Users\user\AppData\...\Tzf0aRd3EL36.exe, PE32+ 50->106 dropped 108 C:\Users\user\AppData\Local\...\v7942[1].exe, PE32+ 50->108 dropped 112 2 other malicious files 50->112 dropped 180 Early bird code injection technique detected 50->180 182 Found many strings related to Crypto-Wallets (likely being stolen) 50->182 184 Writes to foreign memory regions 50->184 194 3 other signatures 50->194 67 yu5stZ1M2fc7.exe 50->67         started        71 Tzf0aRd3EL36.exe 50->71         started        73 6L85h99An2Sa.exe 50->73         started        75 chrome.exe 50->75         started        138 77.90.153.245, 49783, 49785, 49787 RAPIDNET-DEHaunstetterStr19DE Germany 55->138 110 C:\Users\user\...behaviorgraphYIq69yxRgeFsyyS.exe, PE32 55->110 dropped 186 Antivirus detection for dropped file 55->186 188 Multi AV Scanner detection for dropped file 55->188 77 GYIq69yxRgeFsyyS.exe 55->77         started        140 puerrogfh.live 172.67.207.60, 443, 49773, 49774 CLOUDFLARENETUS United States 57->140 190 Query firmware table information (likely to detect VMs) 57->190 192 Tries to steal Crypto Currency Wallets 57->192 142 play.google.com 142.250.65.174, 443, 49754, 49759 GOOGLEUS United States 61->142 144 ogads-pa.clients6.google.com 142.250.72.106, 443, 49750, 49753 GOOGLEUS United States 61->144 146 3 other IPs or domains 61->146 file18 signatures19 process20 file21 114 C:\Users\user\...\ImIohwuWgPBfIUo2.exe, PE32 67->114 dropped 196 Antivirus detection for dropped file 67->196 198 Multi AV Scanner detection for dropped file 67->198 200 Creates / moves files in alternative data streams (ADS) 67->200 79 ImIohwuWgPBfIUo2.exe 67->79         started        202 Writes to foreign memory regions 71->202 204 Allocates memory in foreign processes 71->204 206 Injects a PE file into a foreign processes 71->206 83 MSBuild.exe 71->83         started        85 MSBuild.exe 73->85         started        signatures22 process23 file24 128 C:\Users\user\...\aHeL7rhrueJV5OIl.exe, PE32 79->128 dropped 158 Antivirus detection for dropped file 79->158 160 Multi AV Scanner detection for dropped file 79->160 87 aHeL7rhrueJV5OIl.exe 79->87         started        162 Query firmware table information (likely to detect VMs) 83->162 164 Tries to harvest and steal ftp login credentials 83->164 166 Tries to harvest and steal browser information (history, passwords, etc) 83->166 168 Tries to steal Crypto Currency Wallets 83->168 90 chrome.exe 85->90         started        signatures25 process26 signatures27 228 Antivirus detection for dropped file 87->228 230 Multi AV Scanner detection for dropped file 87->230 92 WerFault.exe 87->92         started        process28
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca/
Threat name:
Win64.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-04-06 02:26:49 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6354qdwjogftvv76n4g6ooxn6bt5dvb2fa7wo62yv2pv2kbvmdfa._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
09d916ffc4140580a93ccba92d9d43c69675b8f118eafd24f6c1f251f129aa56
Vidar
0e063d56d58b485532b7763965cd21d2ae9275f514d25bc8d2a0b8c008b2d4bd
Vidar
0ffb1a03bf0c0819a9b9dd162d77de911c5a54cd43e2c2e338bb637303351244
Vidar
9e16524aaa9323007265cd74421cc60014636434e5d083018b59bbe53636572e
Vidar
b6e7e1ddaceee8c401056c0bd2e552c3545f6906b7de4b62ab3a239e5b01dfa7
Vidar
cdf481b6922c8c27c51bbcdec94f6ec41b1bfe9771beff223068ad02a14585d4
Vidar
cf35a65bf2b0b1aa84c9629e32510475f87502e0c8a2745f4a53d7bdaa5bfd10
Vidar
error
Vidar
f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca
Vidar
fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6
Vidar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:vidar botnet:f942dabea5a58a141236ae72e4720fbf credential_access discovery persistence spyware stealer
Link:
https://tria.ge/reports/250406-gkrewasxet/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/f07nd
https://steamcommunity.com/profiles/76561199843252735
https://puerrogfh.live/iqwez
https://jrxsafer.top/shpaoz
https://bplantainklj.run/opafg
https://quavabvc.top/iuzhd
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://rambutanvcx.run/adioz
https://ywmedici.top/noagis
Verdict:
Suspicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/3cac2d32-8ca3-4f1a-9109-bc526861c672
Unpacked files
SH256 hash:
f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca
MD5 hash:
cbc01fb7800453f31807a3c8c53ce422
SHA1 hash:
a1b48d519d0f4b2d375d2e0f72c8f6076f63f7f6
Link:
https://www.unpac.me/results/3ea557a5-dd50-44fd-b8d1-596b2d58331a/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f6fbc80ec971/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3478380/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/854/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments