MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90
SHA3-384 hash: 3fead9a2bb83ad66428ff3fae4955d0e745540fc61b63c55fa0a0a47b7ac850182a4d61a9af0a92082bd3c956dcfef84
SHA1 hash: 0418bdb8052101256304902f0512cc465c2599df
MD5 hash: 18d879244c26c3b3c581da022023a440
humanhash: maryland-foxtrot-massachusetts-william
File name:file
Download: download sample
Signature Vidar
Create hunting rule
File size:1'238'016 bytes
First seen:2025-10-15 04:00:21 UTC
Last seen:2025-10-19 04:00:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 596c731a06a10a876820fa1b72d1669e (5 x Vidar, 2 x StormKitty, 2 x Rhadamanthys)
ssdeep 24576:uznpKhmVmdWH1sVqWDeV2VolWKxE4corrDu:S4DdVokKxE4cornu
Threatray 11 similar samples on MalwareBazaar
TLSH T16E45F12691A6A2EFF19680B156459161B523BC6387395FEF82F0E7211D0BFD40F3E326
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe vidar


Avatar
Bitsight
url: http://178.16.55.189/files/7453936223/Qs3D6Fk.exe

Intelligence

File Origin
# of uploads :
10
# of downloads :
227
Origin country :
US US
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
virusvippro.exe.zip
Verdict:
Malicious activity
Analysis date:
2025-10-14 23:36:45 UTC
Tags:
auto metasploit framework arch-exec python github anti-evasion miner xenorat rat loader phishing venom generic purelogs stealer quasar njrat agenttesla rhadamanthys xworm donutloader tinynuke remcos amadey stealc katzstealer cobaltstrike backdoor tool redline botnet lumma payload snake keylogger bladabindi salatstealer coinminer diamotrix clipper neshta worm aurotun valley pdqconnect rmm-tool httpdebugger darktortilla crypter hijackloader masslogger vidar vipkeylogger telegram blankgrabber gcleaner rustystealer evasion xmrig pyinstaller arch-doc banker grandoreiro fileshare ngrok purecrypter
Link:
https://app.any.run/tasks/b5ff6d4d-7aa6-4f3d-aa6e-3030dd7cbd9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32846/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ef1c8797a16d00a8da1117
Tags:
virus agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
DNS request
Connection attempt
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Behavior that indicates a threat
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt darkcloud fingerprint microsoft_visual_cc packed stealer unsafe
Link:
https://www.filescan.io/uploads/68ef1c7e71883144ef37cc05/reports/8f413bf8-2548-4efa-93b9-120b44482c37/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-14T20:01:00Z UTC
Last seen:
2025-10-15T06:20:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Injuke.pdnk PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5da0da0e-febd-45cb-81fb-9b80eac8a7a7
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/18d879244c26c3b3c581da022023a440
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-10-15 02:03:28 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=77tsecu6d6yii775ozvr4dcbqlq5n3vebaqtpzkrrqokyoo656ia._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
2c3066d84a1942c8a7d0873d6863e47b73dca05a07283e52e567533447a7afc9
Vidar
38c8897f756e526dac34654b91f82e5b4d892e55bd3f80ff53f4bf5ae53f0955
Vidar
4dfc09bfab1e813c8122d6f8c3d83966346fe676464497ce100e8c385fe5e5f9
Vidar
64cad1ccb76a7413eaad9330f1e5ad44269c0b51098e83053bf0e13039f81b0d
Vidar
d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e
Vidar
d1bb18e8a3e4e3cbe08910ed8d92b970c936094059e3179b8f48c3f8df18853e
Vidar
e439378ca0ca70865ce01d9e795927bd542ee929db1671509555c4fc82c3e65d
Vidar
error
Vidar
ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90
Vidar
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/251015-ek648adz4e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aa6965f3-fac3-43cb-ae9b-e92593657464
Unpacked files
SH256 hash:
ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90
MD5 hash:
18d879244c26c3b3c581da022023a440
SHA1 hash:
0418bdb8052101256304902f0512cc465c2599df
Link:
https://www.unpac.me/results/f5a94e4d-f264-447d-9208-9b410c2d7ac1/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ffe7220a9e1f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe ffe7220a9e1fb0847ffd766b1e0c4182e1d6eea4082137e5518c1cac39deef90

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32846/
  
URLhaus
https://urlhaus.abuse.ch/url/3632233/

Comments