MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 14

Intelligence 14 IOCs YARA 23 File information Comments

SHA256 hash:	f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7
SHA3-384 hash:	bac6627b1eb81ece8ea6974834921a5fd5ecbeeba50dd59fd0bcfcb3b9a6f7916545489c0a977a8ed9ab40d0e2bac34d
SHA1 hash:	fab8258cfc30c4a88de0ca122513ea8ddd306f9d
MD5 hash:	7e359d8fdd0d72a0971d639c20197d40
humanhash:	neptune-maine-march-pizza
File name:	install-1.3.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	3'663'872 bytes
First seen:	2026-06-27 11:34:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (511 x Vidar, 97 x Stealc, 94 x RemusStealer)
ssdeep	49152:56RHEf8Eea9vnmfOCvCKp0luZblb1D7L4SxtiPDGBfYnzQuuha:5xCW5l4bl+qAifv
Threatray	6 similar samples on MalwareBazaar
TLSH	T105068C03BDE158EAC49AA33188B6815A3B75BC590F3227D72E90B7B83E763D04D35B51
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	ced4eae8e8b2f0e8 (1 x Vidar)
Reporter	abuse_ch
Tags:	de-pumped exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

vidar

ID:

File name:

_f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7.exe

Verdict:

Malicious activity

Analysis date:

2026-06-27 11:36:08 UTC

Tags:

stealer stealc vidar golang

Link:

https://app.any.run/tasks/444a52cc-66ab-4d55-922b-d8dc4da8692e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/72213/

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a3fb59d86bc95245bf9f1f8

Tags:

n/a

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Behavior that indicates a threat

Sending a custom TCP request

Connection attempt to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm base64 crypto golang packed

Link:

https://www.filescan.io/uploads/6a3fb595771ce0044a00668d/reports/9cde5846-b4d1-4b4f-af4b-f0b6fd174d6c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-06-27T08:43:00Z UTC

Last seen:

2026-06-28T00:11:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Agent.sb Backdoor.Win64.Gsb.sb Trojan-PSW.Vidar.HTTP.C&C Trojan-PSW.Stealerc.TCP.C&C Trojan-PSW.Stealerc.HTTP.C&C Trojan-PSW.Lumma.TCP.C&C Trojan-Banker.Bandra.TCP.C&C Backdoor.Win64.Gsb.bzh

Link:

https://opentip.kaspersky.com/f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dfdad604-6f74-4fcd-a313-3e8b966437dc

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1934463

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Unusual module load detection (module proxying)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2026-06-27 11:36:01 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

7 of 36 (19.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7coymt35eoboryxdjq266c2dl23p2py6ipgeyku6huxjn6xukl3q._file

Verdict:

malicious

Label(s):

vidar

Vidar

1fd846232a824c1a06a36ca88ac968fa11d169a0986071d1fc0c8b132d7e3aec

Vidar

7b7cc6ddaaf7883d131dcf43677381da5707ca6d534b5b2aaae4ec9033a69ec6

Vidar

b48ff07c855be9ab7b513c70dadfb4d0380f78477ade7b5e424933bc82cf9664

Vidar

be31cb864127a72378b5eb989a68f4ef52b2f09430170fd1d4d090f272d2235e

Vidar

c097558130cf957989c38f44e1a542412c4964d380fdba85197d83d5a83a8c56

Vidar

error

Vidar

Result

Malware family:

n/a

Score:

10/10

Tags:

credential_access discovery spyware stealer

Link:

https://tria.ge/reports/260627-nqfnwsas4x/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Time Discovery

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks installed software on the system

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7

MD5 hash:

7e359d8fdd0d72a0971d639c20197d40

SHA1 hash:

fab8258cfc30c4a88de0ca122513ea8ddd306f9d

Link:

https://www.unpac.me/results/249d019e-67c8-4ade-b94a-aa6da0d1b671/

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f89d864f7d23/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/f89d864f7d2382e8e2e34c35ef0b435eb6fd3f1e43cc4c2a9e3d2e96faf452f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	RemusStealer_GoPayload Create hunting rule
Author:	burger
Description:	Detects RemusStealer Go-compiled payload

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/