user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Vidar!rfn
Trojan:Win64/Vidar!rfn - Windows Defender threat signature analysis

Trojan:Win64/Vidar!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Vidar!rfn
Classification:
Type:Trojan
Platform:Win64
Family:Vidar
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Vidar

VDM Static Detection:
Relevant strings associated with this threat:
 - Vidar Version: (PEHSTR_EXT)
 - \TorBro\Profile\ (PEHSTR_EXT)
 - http://ip-api.com/ (PEHSTR_EXT)
 - *wallet*.dat (PEHSTR_EXT)
 - :Zone.Identifier (PEHSTR_EXT)
 - Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook (PEHSTR_EXT)
 - walle*.dat2 (PEHSTR_EXT)
 - \pool.exe (PEHSTR_EXT)
 - \paster.exe (PEHSTR_EXT)
 - \uc.exe (PEHSTR_EXT)
 - iplogger.org (PEHSTR_EXT)
 - pix-fix.net (PEHSTR_EXT)
 - wo.php?stub= (PEHSTR_EXT)
 - gate1.php?a={ (PEHSTR_EXT)
 - qemu-ga.exe (PEHSTR_EXT)
 - SOFTWARE\VMware, Inc.\VMware Tools (PEHSTR_EXT)
 - HARDWARE\ACPI\RSDT\VBOX__ (PEHSTR_EXT)
 - cmd.exe /c start /B powershell -windowstyle hidden -command (PEHSTR_EXT)
 - x'.replace(' (PEHSTR_EXT)
 - ','').split('@',5); (PEHSTR_EXT)
 - gate1.php?a={bbed3e55656ghf02-0b41-11e3-8249}id=2 (PEHSTR_EXT)
 - ;cmd.exe /c start /B powershell -windowstyle hidden -command (PEHSTR)
 - Software\fuck\ (PEHSTR)
 - 1gate1.php?a={bbed3e55656ghf02-0b41-11e3-8249}id=2 (PEHSTR)
 - wo.php?stub= (PEHSTR)
 - \Mozilla\icecat\Profiles\ (PEHSTR_EXT)
 - \NETGATE Technologies\BlackHawk\Profiles\ (PEHSTR_EXT)
 - \TorBro\Profile (PEHSTR_EXT)
 - \Comodo\Dragon\User Data (PEHSTR_EXT)
 - \Chromium\User Data (PEHSTR_EXT)
 - passwords.txt (PEHSTR_EXT)
 - \Exodus\exodus.wallet\ (PEHSTR)
 - \Electrum-LTC\wallets\ (PEHSTR)
 - files\passwords.txt (PEHSTR)
 - files\outlook.txt (PEHSTR_EXT)
 - files\information.txt (PEHSTR_EXT)
 - \logins.json (PEHSTR_EXT)
 - screenshot.jpg (PEHSTR_EXT)
 - image/jpeg (PEHSTR_EXT)
 - /c taskkill /im  (PEHSTR_EXT)
 - Cookies\%s_%s.txt (PEHSTR_EXT)
 - \Electrum-LTC\wallets (PEHSTR_EXT)
 - multidoge.wallet (PEHSTR_EXT)
 - C:\\BCRYPT.DLL (PEHSTR_EXT)
 - C:\INTERNAL\REMOTE.EXE (PEHSTR_EXT)
 - \\signons.sqlite (PEHSTR_EXT)
 - recentservers.xml (PEHSTR_EXT)
 - \\Nichrome\\User Data\\ (PEHSTR_EXT)
 - \\Epic Privacy Browser\\User Data\\ (PEHSTR_EXT)
 - \\brave\\ (PEHSTR_EXT)
 - Cookies\\IE_Cookies.txt (PEHSTR_EXT)
 - files\outlook.txtfiles\\outlook.txt (PEHSTR_EXT)
 - PYWuI5\6DNrY\tEqJaSk\ON2K9ThJCLm (PEHSTR_EXT)
 - WINMM.dll (PEHSTR_EXT)
 - mastodon.online (PEHSTR_EXT)
 - t.me/hyipsdigest (PEHSTR_EXT)
 - \Wallets\ (PEHSTR_EXT)
 - \Telegram\ (PEHSTR_EXT)
 -  /f & timeout /t 6 & del /f /q (PEHSTR_EXT)
 - /c taskkill /im (PEHSTR_EXT)
 - \screenshot.jpg (PEHSTR_EXT)
 - .vmp0 (PEHSTR_EXT)
 - .vmp2 (PEHSTR_EXT)
 - "id":1,"method":"Storage.getCookies" (PEHSTR_EXT)
 - \Monero\wallet.keys (PEHSTR_EXT)
 - \BraveWallet\Preferences (PEHSTR_EXT)
 - /c timeout /t 10 & rd /s /q "C:\ProgramData\ (PEHSTR_EXT)
 - SOFTWARE\monero-project\monero-core (PEHSTR_EXT)
 - Software\Martin Prikryl\WinSCP 2\Sessions (PEHSTR_EXT)
 - climatejustice.social/@ffoleg94 (PEHSTR_EXT)
 - t.me/korstonsales (PEHSTR_EXT)
 - %s\%s\*wallet*.dat (PEHSTR_EXT)
 - indexeddb.leveldb (PEHSTR_EXT)
 - \Bitcoin\wallets (PEHSTR_EXT)
 - C:\Windows\System32\djoin.exe (PEHSTR_EXT)
 - ShellExecuteW (PEHSTR_EXT)
 - get_ExecutablePath (PEHSTR_EXT)
 - ://135.181.26.183 (PEHSTR_EXT)
 - Gecko /  (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Cryptography (PEHSTR_EXT)
 - Exodus\exodus.wallet (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - sdfkjnsdfkjlnk jhsdbfjshd (PEHSTR_EXT)
 - Tangram4.exe (PEHSTR_EXT)
 - Winapi.Qos (PEHSTR_EXT)
 - 1.Pack$231$ActRec (PEHSTR_EXT)
 - System.Win.TaskbarCore (PEHSTR_EXT)
 - AnyDesk Installer.exe (PEHSTR_EXT)
 - Ian.FrmMaze.resources (PEHSTR_EXT)
 - ;N/MY (SNID)
 - annotation.optimization.CriticalNative.module6 (PEHSTR_EXT)
 - HARDWARE\DESCRIPTION\System\CentralProcessor\0 (PEHSTR_EXT)
 - HttpAnalyzerStdV7.exe (PEHSTR_EXT)
 - HTTPDebuggerUI.exe (PEHSTR_EXT)
 - Wireshark.exe (PEHSTR_EXT)
 - PROCEXP64.exe (PEHSTR_EXT)
 - t.me/noktasina (PEHSTR_EXT)
 - 95.217.152.87 (PEHSTR_EXT)
 - \Downloads\%s_%s.txt (PEHSTR_EXT)
 - SnakesAndLadders.Properties.Resources (PEHSTR_EXT)
 - 9amous.Properties (PEHSTR_EXT)
 - fa3a1684336017.Resources.resources (PEHSTR_EXT)
 - final.Bridges.IndexerRepositoryBridge.resources (PEHSTR_EXT)
 - Qirhkrygb.Properties (PEHSTR_EXT)
 - bouling4feet_member.My.Resources (PEHSTR_EXT)
 - yKaRG.uWgba.resources (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - 0Q71J1NOK1iWOFeGet.y9taJQZUm4w9i7QF6q (PEHSTR_EXT)
 - http://95.216.164.28:80 (PEHSTR_EXT)
 - softokn3.dll (PEHSTR_EXT)
 - nss3.dll (PEHSTR_EXT)
 - mozglue.dll (PEHSTR_EXT)
 - freebl3.dll (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion (PEHSTR_EXT)
 - sgfhjffkfffgdhjsrfhddfhfffaddsfsfssfcfgdb (PEHSTR_EXT)
 - niderlandsdll_clameup (PEHSTR_EXT)
 - gate1.php?a={bbed3e55656ghf02-0b41-11e3-8249}id= (PEHSTR_EXT)
 - .winlice (PEHSTR_EXT)
 - .Properties.Resources (PEHSTR_EXT)
 - micropatch2dll_compleate (PEHSTR_EXT)
 - I32.dll (PEHSTR_EXT)
 - e32.dll (PEHSTR_EXT)
 - believeintegrate.Stubs (PEHSTR_EXT)
 - cmd/Cicacls/setintegritylevelhigh (PEHSTR_EXT)
 - z5CJn0.Resources.resources (PEHSTR_EXT)
 - robubizeki_jo.pdb (PEHSTR)
 - .boot (PEHSTR_EXT)
 - PortScanner.Properties.Resources (PEHSTR_EXT)
 - Es.Resources.resources (PEHSTR_EXT)
 - t.me/odyssey_tg (PEHSTR_EXT)
 - CC\%s_%s.txt (PEHSTR_EXT)
 - Wallets\Chia Wallet\%s\%s (PEHSTR_EXT)
 - les\9375CFF0413111d3 (PEHSTR_EXT)
 - nwqbzjzpclbzkrckecmdcnuioxblrsmdyvyftosn (PEHSTR_EXT)
 - chia\mainnet\wallet (PEHSTR_EXT)
 - https://t.me/l793oy (PEHSTR_EXT)
 - t.me/solonichat (PEHSTR_EXT)
 - Autofill\%s_%s.txt (PEHSTR_EXT)
 - runtime.persistentalloc (PEHSTR_EXT)
 - \AppData\Roaming\FileZilla\recentservers.xml (PEHSTR_EXT)
 - wallet.keys (PEHSTR_EXT)
 - PAISDJSF8374JSKFHG5JGFL9SM (PEHSTR_EXT)
 - RDPCreator\obj\Release\RDPCreator.pdb (PEHSTR_EXT)
 - http://147.45.44.104 (PEHSTR_EXT)
 - CurrentVersion\Policies\System" /v "AllowRemoteRPC" /t REG_DWORD /d 1 /f (PEHSTR_EXT)
 - TAZRJSZMYHHADNVWNOMASQJOGTEXGEFCT (PEHSTR_EXT)
 - \Discord\tokens.txt (PEHSTR_EXT)
 - loginusers.vdf (PEHSTR_EXT)
 - Soft\Steam\steam_tokens.txt (PEHSTR_EXT)
 - information.txt (PEHSTR_EXT)
 - t.me/iyigunl (PEHSTR_EXT)
 - Monero\wallet.keys (PEHSTR_EXT)
 - _key.txt (PEHSTR_EXT)
 - New-ScheduledTaskAction -Execute $tempPath -ErrorAction SilentlyContinue (PEHSTR_EXT)
 - New-ScheduledTaskSettingsSet -Hidden -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ErrorAction SilentlyContinue (PEHSTR_EXT)
 - Release\vdr1.pdb (PEHSTR_EXT)
 - vdr1.exe (PEHSTR_EXT)
 - SOFTWARE\monero-project\monero-cor (PEHSTR_EXT)
 - _cookies.db (PEHSTR_EXT)
 - _passwords.db (PEHSTR_EXT)
 - _key4.db (PEHSTR_EXT)
 - _logins.json (PEHSTR_EXT)
 - https://steamcommunity.com (PEHSTR_EXT)
 - https://t.me/ (PEHSTR_EXT)
 - \\Monero\\wallet0123456789 (PEHSTR_EXT)
 - \\BraveWallet\\P (PEHSTR_EXT)
 - *wallet*.* (PEHSTR_EXT)
 - *seed*.* (PEHSTR_EXT)
 - *btc*.* (PEHSTR_EXT)
 - *key*.* (PEHSTR_EXT)
 - *2fa*.* (PEHSTR_EXT)
 - *crypto*.* (PEHSTR_EXT)
 - *coin*.* (PEHSTR_EXT)
 - *private*.* (PEHSTR_EXT)
 - *auth*.* (PEHSTR_EXT)
 - *ledger*.* (PEHSTR_EXT)
 - *trezor*.* (PEHSTR_EXT)
 - *pass*.* (PEHSTR_EXT)
 - *wal*.* (PEHSTR_EXT)
 - *upbit*.* (PEHSTR_EXT)
 - *bcex*.* (PEHSTR_EXT)
 - *bithimb*.* (PEHSTR_EXT)
 - *hitbtc*.* (PEHSTR_EXT)
 - *bitflyer*.* (PEHSTR_EXT)
 - *kucoin*.* (PEHSTR_EXT)
 - *huobi*.* (PEHSTR_EXT)
 - https://t.me/l07tp (PEHSTR_EXT)
 - https://steamcommunity.com/profiles/76561199869630181 (PEHSTR_EXT)
 - \\Monero\\wallet (PEHSTR_EXT)
 - \\Discord\\token (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
bb7f5743de052f65f2678aa63ab7ee39e1532e555be42d5b3a7183332f97c07b
30/01/2026
VirusTotalDownload Sample
ec3cd7925635d26ea256f64eb24f30749cd4bc15335eb85eb3c3ca554b7818ab
26/01/2026
VirusTotalDownload Sample
870cb25dcb7e83dae251efa18fbcd4c7ed66345596a0b80643d5df816cde7898
23/01/2026
VirusTotalDownload Sample
Filename: CFHIgaR.exe
bf0eac1fb87c1fa48704d4afc41a24cf6aa0b16b9f0bbdb3083582cadf405909
09/01/2026
VirusTotalDownload Sample
Filename: SecuriteInfo.com.Win64.MalwareX-gen.97198687
a7ccbd569505d6e4a9cad09d97312bb4c6e38d8b9bc2e6e7bfcaf3d2bd767e32
26/12/2025
VirusTotalDownload Sample
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 19/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$