Release V2.exe Stealer Vidar Analysis

Updated 1 year ago

Checked by Malware Check

Release V2.exe

Technical Analysis

File Name	Release V2.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
Scanner Version	1.0.211.174
Database Version	2025-03-24 06:01:14 UTC

⚠

Spy.Win32.Vidar.tr

Malware family: Vidar

Vidar is an information stealer that targets both personal data and cryptocurrency assets. It operates through keylogging, data extraction, and cryptocurrency wallet targeting. The malware silently collects valuable information and can access digital wallets to transfer cryptocurrency to attacker-controlled accounts.

N/A

Detection Rate

9,702,820

File Size (bytes)

2025-03-24

Analysis Date

Scan Another File

File Identification

Hash Type	Value	Action
MD5	d66a2cf99c5b51e32d5421e77e36eaf0
SHA1	c59dbdc27aa2d0121f34fbf1012ff588f5ecd35e
SHA256	fcb41b6beaad2db4ac83aec31f4382cf885d3e00ce49bd5e38e3b4b03909545c
SHA512	53ff96ac477b98845590a0ae1b68aaad5aee0ba76e4074e6037548688c9451856bc1857092d1d92cb0229cd34b8799436b031bc3bf9071d21c335cff4b652616
ImpHash	8c7bb6ca5cc13acbfbef6ed019375e6e

PE Analysis

Basic Information

▼

Icon	Hash: 965d59b29864f0495024a747b99ff929 Fuzzy: d0de38c7a9841b60b64a9cf9b7ed3986 dHash: dadadad2d6dce0ac
Image Base	`0x00400000`
Entry Point	`0x00401000`
Compilation Time	2021-12-21 10:37:31
Checksum	0x06a28057 (Actual: 0x0094b4d1)
OS Version	5.0
PEiD Signatures	`PE32 executable (GUI) Intel 80386, for MS Windows`
Digital Signature	The expected hash does not match the digest in SpcInfo
Imports	20 libraries
Exports	1 functions
Resources	360 Resources
Sections	13 Sections

Version Information

▼

CompanyName	AtomPark Software Inc.
FileDescription	Atomic Email Hunter (e-mail addresses extractor)
FileVersion	15.20.0.485
InternalName	emh
LegalCopyright	Copyright (c) AtomPark Software Inc., 2001-2021. All rights reserved.
LegalTrademarks	AtomPark, Atomic Email Hunter
OriginalFilename	AtomicEmailHunter.exe
ProductName	Atomic Email Hunter
ProductVersion	15.20
Comments	Main site with all our e-mail marketing software is www.massmailsoftware.com
Translation	0x0409 0x04e4

PE Sections

▼

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Characteristics	MD5
	`0x00001000`	15,687,680 bytes	4,081,664 bytes	8.00 (Packed/Encrypted)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`7DED47A5B16C705937176BF446867568`
	`0x00ef7000`	28,672 bytes	13,824 bytes	7.99 (Packed/Encrypted)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`7FFAE33CCAFDB35DCDC942EC75E0E3E9`
	`0x00efe000`	368,640 bytes	166,400 bytes	8.00 (Packed/Encrypted)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`888358F0502BDDE621158CF49F96BF99`
	`0x00f58000`	647,168 bytes	0 bytes	0.00 (Normal)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`D41D8CD98F00B204E9800998ECF8427E`
	`0x00ff6000`	20,480 bytes	18,432 bytes	7.99 (Packed/Encrypted)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`B1887A8BA34DAAB8586F6133A7596763`
	`0x00ffb000`	28,672 bytes	6,144 bytes	7.97 (Packed/Encrypted)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`4D02AC2052BDE7ADC4EA110A0E14D6C9`
	`0x01002000`	4,096 bytes	512 bytes	1.22 (Normal)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`25A7527BA3AE644AFF87F83DC8A5AF3B`
	`0x01003000`	4,096 bytes	0 bytes	0.00 (Normal)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`D41D8CD98F00B204E9800998ECF8427E`
	`0x01004000`	4,096 bytes	512 bytes	1.41 (Normal)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`D7D7D5EABB641A14F9D1B2A957FDA37E`
	`0x01005000`	1,355,776 bytes	0 bytes	0.00 (Normal)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`D41D8CD98F00B204E9800998ECF8427E`
`.rsrc`	`0x01150000`	2,670,592 bytes	2,667,520 bytes	6.12 (Normal)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`57D405423E76EF239F547BC64C6A38B5`
`.aehd`	`0x013dc000`	524,288 bytes	523,776 bytes	7.96 (Packed/Encrypted)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`BB25981D398849838808C0D1584CD1BA`
`.adata`	`0x0145c000`	111,750 bytes	108,032 bytes	7.95 (Packed/Encrypted)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`64E7C37EBE25F7F7DA9CA647C9120DE5`

Entropy Analysis Alert

7 section(s) with high entropy (≥7.5) detected - possible packing/encryption

Resource Analysis

▼

Total Resources: 360 (2,644,664 bytes)

Resource Type	Count	Total Size	Percentage
LANGS	1	63,947 bytes	2.4%
PNG	11	113,285 bytes	4.3%
TEXT	1	9,612 bytes	0.4%
UNICODEDATA	6	191,535 bytes	7.2%
RT_CURSOR	27	12,716 bytes	0.5%
RT_BITMAP	84	48,776 bytes	1.8%
RT_ICON	8	360,384 bytes	13.6%
RT_DIALOG	2	164 bytes	0%
RT_STRING	119	140,996 bytes	5.3%
RT_RCDATA	71	1,700,681 bytes	64.3%
RT_GROUP_CURSOR	27	540 bytes	0%
RT_GROUP_ICON	1	118 bytes	0%
RT_VERSION	1	1,196 bytes	0%
RT_MANIFEST	1	714 bytes	0%

Certificate Chain Analysis

▼

No Digital Signatures

This file is not digitally signed.

Security Implications:

Cannot verify the publisher's identity
Increased security risk when running this file
May trigger security warnings on some systems

⚠ This file either lacks a digital signature or the certificate chain could not be verified
Exercise caution when executing unsigned files from unknown sources

Certificate Verification Status

The expected hash does not match the digest in SpcInfo

Recommendation: Verify the file source and ensure it comes from a trusted publisher.

Spy.Win32.Vidar.tr Removal

Gridinsoft has the capability to identify and eliminate Spy.Win32.Vidar.tr without requiring further user intervention.

Download Anti-Malware

Removal Instructions

Follow these steps to completely remove the threat from your system

1
Get Gridinsoft Anti-Malware — it's a quick 2 MB download that won't slow down your PC.
2
Run the installer gsam-en-install.exe. The setup takes about 2 minutes and doesn't require a restart.
3
The app launches right after installation. You'll see the main dashboard with the scan button front and center.
4
Hit "Standard Scan" — this checks all the spots where malware typically hides: temp folders, browser data, startup programs, and system directories.
5
Once the scan finds this threat, click "Clean Now". The removal usually happens instantly, though some stubborn infections may need a reboot.
6
If you see a restart prompt, go ahead and reboot. This clears any malware that was running in memory and ensures your system starts fresh.

Important: Before You Start

Quick tip: unplug from the internet before scanning. Some malware phones home for instructions or downloads extra payloads when it senses trouble. If the infection is severe, boot into Safe Mode first — it limits what can run and makes cleanup easier.

Share your thoughts or insights about this file. Do you align with our conclusion?

Your feedback could influence our rating, and rest assured, your email will remain confidential and will only be used to communicate with you if necessary.

Signed in via Gridinsoft Portal · View profile

Your Score for

5 4 3 2 1

Gridinsoft Anti-Malware

Stay Malware-Free: Keep Your PC Protected with Gridinsoft Anti-Malware

Gridinsoft Anti-Malware offers just that—peace of mind with a robust, user-friendly solution that’s constantly updated to combat the latest threats. Designed by cybersecurity experts, it provides real-time protection and effortless malware removal. It’s not just about detecting threats; it's about enhancing your digital life with uninterrupted security. Give it a try and experience what it feels like to browse worry-free!

Gridinsoft Anti-Malware Download Now