MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6
SHA3-384 hash: 3167b3f1e6044ff8ab0bab7f38f750f34abb337ac9a86279bf5e778d03338f05843fa32d18b3bf87766080e1b03394d7
SHA1 hash: 301241ad8d04a29bec6d43e00b605df4317f406a
MD5 hash: b6fff0854975fdd3a69fd2442672de42
humanhash: alanine-alaska-tennis-ack
File name:v7942.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:270'336 bytes
First seen:2025-03-15 12:54:46 UTC
Last seen:2025-03-15 15:42:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c20b211897fc2b6d9fa32b006a00ef15 (10 x LummaStealer, 2 x DarkCloud, 2 x Vidar)
ssdeep 6144:IAJ0Ss90XARJi56I5pqUtE2NW2UYclVyqMvhm:IAJ0SiRi56Ow2UZAhm
Threatray 25 similar samples on MalwareBazaar
TLSH T13F44D01B73E130F8E5B78638C5550A06E7B2B4764721AF9F03A4865A2F232D19D3EF61
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:exe vidar


Avatar
iamaachum
http://77.90.153.244/v7942.exe

Vidar C2:
https://t.me/g_etcontent
https://steamcommunity.com/profiles/76561199832267488
https://t.p.formaxprime.co.uk/
Vidar Botnet: e3a5dc9f3619e7e1987b9fcc98b49843

Intelligence

File Origin
# of uploads :
4
# of downloads :
461
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
v7942.exe
Verdict:
Malicious activity
Analysis date:
2025-03-15 12:58:42 UTC
Tags:
telegram stealer stealc vidar
Link:
https://app.any.run/tasks/d93ebd3a-0d91-45ff-a5ee-9dad3298e351

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d58b903962f1a6f471a1a7
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67d578c30a7899f357974c7b/reports/f7ffa279-040e-4959-b96a-0c7009e67eaf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/603722ff-5951-49df-a8a7-745086a41077
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639385
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates / moves files in alternative data streams (ADS)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639385 Sample: v7942.exe Startdate: 15/03/2025 Architecture: WINDOWS Score: 100 101 t.p.formaxprime.co.uk 2->101 103 weaponrywo.digital 2->103 105 16 other IPs or domains 2->105 137 Suricata IDS alerts for network traffic 2->137 139 Found malware configuration 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 11 other signatures 2->143 11 v7942.exe 1 2->11         started        14 eKQjcS7RNcSarFuG.exe 2->14         started        17 msedge.exe 600 2->17         started        signatures3 process4 dnsIp5 175 Contains functionality to inject code into remote processes 11->175 177 Writes to foreign memory regions 11->177 179 Allocates memory in foreign processes 11->179 181 Injects a PE file into a foreign processes 11->181 20 MSBuild.exe 35 11->20         started        25 MSBuild.exe 11->25         started        27 conhost.exe 11->27         started        97 C:\Users\user\...JNNjjms8tHlPaG5.exe, PE32 14->97 dropped 99 239.255.255.250 unknown Reserved 17->99 29 msedge.exe 17->29         started        31 msedge.exe 17->31         started        33 msedge.exe 17->33         started        file6 signatures7 process8 dnsIp9 107 t.p.formaxprime.co.uk 78.47.63.132, 443, 49724, 49725 HETZNER-ASDE Germany 20->107 109 t.me 149.154.167.99, 443, 49723 TELEGRAMRU United Kingdom 20->109 115 2 other IPs or domains 20->115 85 C:\Users\user\AppData\Local\...\l9543[1].exe, PE32+ 20->85 dropped 87 C:\Users\user\AppData\...\sss81242[1].exe, PE32 20->87 dropped 89 C:\Users\user\AppData\Local\...\s9471[1].exe, PE32+ 20->89 dropped 91 3 other malicious files 20->91 dropped 163 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->163 165 Found many strings related to Crypto-Wallets (likely being stolen) 20->165 167 Tries to harvest and steal ftp login credentials 20->167 173 3 other signatures 20->173 35 zmgdjecba1.exe 20->35         started        38 xlng4w479r.exe 20->38         started        41 ph4eu37qie.exe 20->41         started        43 3 other processes 20->43 169 Attempt to bypass Chrome Application-Bound Encryption 25->169 171 Searches for specific processes (likely to inject) 25->171 111 18.173.219.84, 443, 49823, 49840 MIT-GATEWAYSUS United States 29->111 113 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 49789 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->113 117 31 other IPs or domains 29->117 file10 signatures11 process12 dnsIp13 145 Multi AV Scanner detection for dropped file 35->145 147 Writes to foreign memory regions 35->147 149 Allocates memory in foreign processes 35->149 46 MSBuild.exe 35->46         started        50 conhost.exe 35->50         started        93 C:\Users\user\...\eKQjcS7RNcSarFuG.exe, PE32 38->93 dropped 95 :cat (copy), PE32 38->95 dropped 151 Antivirus detection for dropped file 38->151 153 Creates / moves files in alternative data streams (ADS) 38->153 52 eKQjcS7RNcSarFuG.exe 38->52         started        155 Injects a PE file into a foreign processes 41->155 55 MSBuild.exe 41->55         started        63 2 other processes 41->63 119 192.168.2.5, 138, 443, 49413 unknown unknown 43->119 157 Monitors registry run keys for changes 43->157 57 chrome.exe 43->57         started        59 chrome.exe 43->59         started        61 msedge.exe 43->61         started        65 2 other processes 43->65 file14 signatures15 process16 dnsIp17 125 77.90.153.241, 49869, 49897, 80 RAPIDNET-DEHaunstetterStr19DE Germany 46->125 183 Found many strings related to Crypto-Wallets (likely being stolen) 46->183 185 Tries to harvest and steal browser information (history, passwords, etc) 46->185 67 msedge.exe 46->67         started        70 chrome.exe 46->70         started        127 77.90.153.245, 49876, 49878, 49887 RAPIDNET-DEHaunstetterStr19DE Germany 52->127 83 C:\Users\user\...\4TzoHWrzkq4Uuk1w.exe, PE32 52->83 dropped 187 Multi AV Scanner detection for dropped file 52->187 72 4TzoHWrzkq4Uuk1w.exe 52->72         started        74 WerFault.exe 52->74         started        129 steamcommunity.com 23.197.127.21, 443, 49866, 49902 AKAMAI-ASN1EU United States 55->129 131 plus.l.google.com 142.250.185.142, 443, 49762 GOOGLEUS United States 57->131 133 www.google.com 142.250.186.164, 443, 49738, 49739 GOOGLEUS United States 57->133 135 apis.google.com 57->135 file18 signatures19 process20 signatures21 159 Monitors registry run keys for changes 67->159 76 chrome.exe 70->76         started        79 chrome.exe 70->79         started        161 Multi AV Scanner detection for dropped file 72->161 81 WerFault.exe 72->81         started        process22 dnsIp23 121 142.250.185.196, 443, 49885, 49891 GOOGLEUS United States 76->121 123 www.google.com 76->123
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-13 23:26:29 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ygszd46iluwolcr4py5i6hzhgh6rddpgh4dzln3a7j3wbshkpda._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
1ef9b106952f822e8e5273d624233cce492171f92597bf902727a1e152be329b
Vidar
9687a5f5f5b2625642144b433b807c37f968ba696722c1c173a0d7d5ece4d0d9
Vidar
a294bf481aa526fb74cf00c400c68cb9c79da511840d455adaa8900cf8878a94
Vidar
a410e68d140404689de596975dc55540c2aacf613142b1deb48c30c38b8668e9
Vidar
dc9b78f6219f46dffff64355480b472bd14b2d2511e435c35b17d1adb5bb3816
Vidar
error
Vidar
f51b59769a0e8439712d7a59689d08459e5034218baef5bf2e8340888feb982f
Vidar
+ 15 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:stealc family:vidar botnet:default botnet:e3a5dc9f3619e7e1987b9fcc98b49843 credential_access discovery persistence spyware stealer
Link:
https://tria.ge/reports/250315-p5va9sxpw2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/g_etcontent
https://steamcommunity.com/profiles/76561199832267488
https://citywand.live/api
https://crosshairc.life/api
https://smrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://sqbugildbett.top/api
https://weaponrywo.digital/api
http://77.90.153.241
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/45476a76-34e4-4131-beb3-cc7415f58859
Unpacked files
SH256 hash:
fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6
MD5 hash:
b6fff0854975fdd3a69fd2442672de42
SHA1 hash:
301241ad8d04a29bec6d43e00b605df4317f406a
Link:
https://www.unpac.me/results/81428477-37ba-4f7a-943b-e4822dde463f/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe0d2c8f9e42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6

(this sample)

  
Link
https://tria.ge/250315-pee4naxjv2/
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3478380/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments