Trojan:Win64/Vidar!MTB - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Win64/Vidar!MTB

Trojan:Win64/Vidar!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Win64/Vidar!MTB

Classification:

Type:Trojan

Platform:Win64

Family:Vidar

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Vidar

Summary:

Trojan:Win64/Vidar!MTB is a critical information stealer designed to exfiltrate sensitive data including cryptocurrency wallets, browser information, and Outlook credentials. It communicates with command-and-control servers, targets specific file types, and incorporates anti-virtual machine checks to evade analysis.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - Vidar Version: (PEHSTR_EXT)
 - \TorBro\Profile\ (PEHSTR_EXT)
 - http://ip-api.com/ (PEHSTR_EXT)
 - *wallet*.dat (PEHSTR_EXT)
 - :Zone.Identifier (PEHSTR_EXT)
 - Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook (PEHSTR_EXT)
 - walle*.dat2 (PEHSTR_EXT)
 - \pool.exe (PEHSTR_EXT)
 - \paster.exe (PEHSTR_EXT)
 - \uc.exe (PEHSTR_EXT)
 - iplogger.org (PEHSTR_EXT)
 - pix-fix.net (PEHSTR_EXT)
 - wo.php?stub= (PEHSTR_EXT)
 - gate1.php?a={ (PEHSTR_EXT)
 - qemu-ga.exe (PEHSTR_EXT)
 - SOFTWARE\VMware, Inc.\VMware Tools (PEHSTR_EXT)
 - HARDWARE\ACPI\RSDT\VBOX__ (PEHSTR_EXT)
 - cmd.exe /c start /B powershell -windowstyle hidden -command (PEHSTR_EXT)
 - x'.replace(' (PEHSTR_EXT)
 - ','').split('@',5); (PEHSTR_EXT)
 - gate1.php?a={bbed3e55656ghf02-0b41-11e3-8249}id=2 (PEHSTR_EXT)
 - ;cmd.exe /c start /B powershell -windowstyle hidden -command (PEHSTR)
 - Software\fuck\ (PEHSTR)
 - 1gate1.php?a={bbed3e55656ghf02-0b41-11e3-8249}id=2 (PEHSTR)
 - wo.php?stub= (PEHSTR)
 - \Mozilla\icecat\Profiles\ (PEHSTR_EXT)
 - \NETGATE Technologies\BlackHawk\Profiles\ (PEHSTR_EXT)
 - \TorBro\Profile (PEHSTR_EXT)
 - \Comodo\Dragon\User Data (PEHSTR_EXT)
 - \Chromium\User Data (PEHSTR_EXT)
 - passwords.txt (PEHSTR_EXT)
 - \Exodus\exodus.wallet\ (PEHSTR)
 - \Electrum-LTC\wallets\ (PEHSTR)
 - files\passwords.txt (PEHSTR)
 - files\outlook.txt (PEHSTR_EXT)
 - files\information.txt (PEHSTR_EXT)
 - \logins.json (PEHSTR_EXT)
 - screenshot.jpg (PEHSTR_EXT)
 - image/jpeg (PEHSTR_EXT)
 - /c taskkill /im  (PEHSTR_EXT)
 - Cookies\%s_%s.txt (PEHSTR_EXT)
 - \Electrum-LTC\wallets (PEHSTR_EXT)
 - multidoge.wallet (PEHSTR_EXT)
 - C:\\BCRYPT.DLL (PEHSTR_EXT)
 - C:\INTERNAL\REMOTE.EXE (PEHSTR_EXT)
 - \\signons.sqlite (PEHSTR_EXT)
 - recentservers.xml (PEHSTR_EXT)
 - \\Nichrome\\User Data\\ (PEHSTR_EXT)
 - \\Epic Privacy Browser\\User Data\\ (PEHSTR_EXT)
 - \\brave\\ (PEHSTR_EXT)
 - Cookies\\IE_Cookies.txt (PEHSTR_EXT)
 - files\outlook.txtfiles\\outlook.txt (PEHSTR_EXT)
 - PYWuI5\6DNrY\tEqJaSk\ON2K9ThJCLm (PEHSTR_EXT)
 - WINMM.dll (PEHSTR_EXT)
 - mastodon.online (PEHSTR_EXT)
 - t.me/hyipsdigest (PEHSTR_EXT)
 - \Wallets\ (PEHSTR_EXT)
 - \Telegram\ (PEHSTR_EXT)
 -  /f & timeout /t 6 & del /f /q (PEHSTR_EXT)
 - /c taskkill /im (PEHSTR_EXT)
 - \screenshot.jpg (PEHSTR_EXT)
 - .vmp0 (PEHSTR_EXT)
 - .vmp2 (PEHSTR_EXT)
 - "id":1,"method":"Storage.getCookies" (PEHSTR_EXT)
 - \Monero\wallet.keys (PEHSTR_EXT)
 - \BraveWallet\Preferences (PEHSTR_EXT)
 - /c timeout /t 10 & rd /s /q "C:\ProgramData\ (PEHSTR_EXT)
 - SOFTWARE\monero-project\monero-core (PEHSTR_EXT)
 - Software\Martin Prikryl\WinSCP 2\Sessions (PEHSTR_EXT)
 - climatejustice.social/@ffoleg94 (PEHSTR_EXT)
 - t.me/korstonsales (PEHSTR_EXT)
 - %s\%s\*wallet*.dat (PEHSTR_EXT)
 - indexeddb.leveldb (PEHSTR_EXT)
 - \Bitcoin\wallets (PEHSTR_EXT)
 - C:\Windows\System32\djoin.exe (PEHSTR_EXT)
 - ShellExecuteW (PEHSTR_EXT)
 - get_ExecutablePath (PEHSTR_EXT)
 - ://135.181.26.183 (PEHSTR_EXT)
 - Gecko /  (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Cryptography (PEHSTR_EXT)
 - Exodus\exodus.wallet (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - sdfkjnsdfkjlnk jhsdbfjshd (PEHSTR_EXT)
 - Tangram4.exe (PEHSTR_EXT)
 - Winapi.Qos (PEHSTR_EXT)
 - 1.Pack$231$ActRec (PEHSTR_EXT)
 - System.Win.TaskbarCore (PEHSTR_EXT)
 - AnyDesk Installer.exe (PEHSTR_EXT)
 - Ian.FrmMaze.resources (PEHSTR_EXT)
 - ;N/MY (SNID)
 - annotation.optimization.CriticalNative.module6 (PEHSTR_EXT)
 - HARDWARE\DESCRIPTION\System\CentralProcessor\0 (PEHSTR_EXT)
 - HttpAnalyzerStdV7.exe (PEHSTR_EXT)
 - HTTPDebuggerUI.exe (PEHSTR_EXT)
 - Wireshark.exe (PEHSTR_EXT)
 - PROCEXP64.exe (PEHSTR_EXT)
 - t.me/noktasina (PEHSTR_EXT)
 - 95.217.152.87 (PEHSTR_EXT)
 - \Downloads\%s_%s.txt (PEHSTR_EXT)
 - SnakesAndLadders.Properties.Resources (PEHSTR_EXT)
 - 9amous.Properties (PEHSTR_EXT)
 - fa3a1684336017.Resources.resources (PEHSTR_EXT)
 - final.Bridges.IndexerRepositoryBridge.resources (PEHSTR_EXT)
 - Qirhkrygb.Properties (PEHSTR_EXT)
 - bouling4feet_member.My.Resources (PEHSTR_EXT)
 - yKaRG.uWgba.resources (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - 0Q71J1NOK1iWOFeGet.y9taJQZUm4w9i7QF6q (PEHSTR_EXT)
 - http://95.216.164.28:80 (PEHSTR_EXT)
 - softokn3.dll (PEHSTR_EXT)
 - nss3.dll (PEHSTR_EXT)
 - mozglue.dll (PEHSTR_EXT)
 - freebl3.dll (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion (PEHSTR_EXT)
 - sgfhjffkfffgdhjsrfhddfhfffaddsfsfssfcfgdb (PEHSTR_EXT)
 - niderlandsdll_clameup (PEHSTR_EXT)
 - gate1.php?a={bbed3e55656ghf02-0b41-11e3-8249}id= (PEHSTR_EXT)
 - .winlice (PEHSTR_EXT)
 - .Properties.Resources (PEHSTR_EXT)
 - micropatch2dll_compleate (PEHSTR_EXT)
 - I32.dll (PEHSTR_EXT)
 - e32.dll (PEHSTR_EXT)
 - believeintegrate.Stubs (PEHSTR_EXT)
 - cmd/Cicacls/setintegritylevelhigh (PEHSTR_EXT)
 - z5CJn0.Resources.resources (PEHSTR_EXT)
 - robubizeki_jo.pdb (PEHSTR)
 - .boot (PEHSTR_EXT)
 - PortScanner.Properties.Resources (PEHSTR_EXT)
 - Es.Resources.resources (PEHSTR_EXT)
 - t.me/odyssey_tg (PEHSTR_EXT)
 - CC\%s_%s.txt (PEHSTR_EXT)
 - Wallets\Chia Wallet\%s\%s (PEHSTR_EXT)
 - les\9375CFF0413111d3 (PEHSTR_EXT)
 - nwqbzjzpclbzkrckecmdcnuioxblrsmdyvyftosn (PEHSTR_EXT)
 - chia\mainnet\wallet (PEHSTR_EXT)
 - https://t.me/l793oy (PEHSTR_EXT)
 - t.me/solonichat (PEHSTR_EXT)
 - Autofill\%s_%s.txt (PEHSTR_EXT)
 - runtime.persistentalloc (PEHSTR_EXT)
 - \AppData\Roaming\FileZilla\recentservers.xml (PEHSTR_EXT)
 - wallet.keys (PEHSTR_EXT)
 - PAISDJSF8374JSKFHG5JGFL9SM (PEHSTR_EXT)
 - RDPCreator\obj\Release\RDPCreator.pdb (PEHSTR_EXT)
 - http://147.45.44.104 (PEHSTR_EXT)
 - CurrentVersion\Policies\System" /v "AllowRemoteRPC" /t REG_DWORD /d 1 /f (PEHSTR_EXT)
 - TAZRJSZMYHHADNVWNOMASQJOGTEXGEFCT (PEHSTR_EXT)
 - \Discord\tokens.txt (PEHSTR_EXT)
 - loginusers.vdf (PEHSTR_EXT)
 - Soft\Steam\steam_tokens.txt (PEHSTR_EXT)
 - information.txt (PEHSTR_EXT)
 - t.me/iyigunl (PEHSTR_EXT)
 - Monero\wallet.keys (PEHSTR_EXT)
 - _key.txt (PEHSTR_EXT)
 - New-ScheduledTaskAction -Execute $tempPath -ErrorAction SilentlyContinue (PEHSTR_EXT)
 - New-ScheduledTaskSettingsSet -Hidden -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ErrorAction SilentlyContinue (PEHSTR_EXT)
 - Release\vdr1.pdb (PEHSTR_EXT)
 - vdr1.exe (PEHSTR_EXT)
 - SOFTWARE\monero-project\monero-cor (PEHSTR_EXT)
 - _cookies.db (PEHSTR_EXT)
 - _passwords.db (PEHSTR_EXT)
 - _key4.db (PEHSTR_EXT)
 - _logins.json (PEHSTR_EXT)
 - https://steamcommunity.com (PEHSTR_EXT)
 - https://t.me/ (PEHSTR_EXT)
 - \\Monero\\wallet0123456789 (PEHSTR_EXT)
 - \\BraveWallet\\P (PEHSTR_EXT)
 - *wallet*.* (PEHSTR_EXT)
 - *seed*.* (PEHSTR_EXT)
 - *btc*.* (PEHSTR_EXT)
 - *key*.* (PEHSTR_EXT)
 - *2fa*.* (PEHSTR_EXT)
 - *crypto*.* (PEHSTR_EXT)
 - *coin*.* (PEHSTR_EXT)
 - *private*.* (PEHSTR_EXT)
 - *auth*.* (PEHSTR_EXT)
 - *ledger*.* (PEHSTR_EXT)
 - *trezor*.* (PEHSTR_EXT)
 - *pass*.* (PEHSTR_EXT)
 - *wal*.* (PEHSTR_EXT)
 - *upbit*.* (PEHSTR_EXT)
 - *bcex*.* (PEHSTR_EXT)
 - *bithimb*.* (PEHSTR_EXT)
 - *hitbtc*.* (PEHSTR_EXT)
 - *bitflyer*.* (PEHSTR_EXT)
 - *kucoin*.* (PEHSTR_EXT)
 - *huobi*.* (PEHSTR_EXT)
 - https://t.me/l07tp (PEHSTR_EXT)
 - https://steamcommunity.com/profiles/76561199869630181 (PEHSTR_EXT)
 - \\Monero\\wallet (PEHSTR_EXT)
 - \\Discord\\token (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: msedge_elf.dll

e552d929596b77dcb6b57256cc913cf43d4bd4b133da81c6dfc9d25af5f455fe

10/01/2026

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the infected host and perform a full system scan with updated antivirus to remove all detected threats. Reset all potentially compromised credentials, particularly for cryptocurrency wallets and online accounts, and review the system for any signs of persistence or further compromise.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 10/01/2026. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:Win64/Vidar!MTB - Windows Defender Threat Analysis