vidar | d77648c1e78a6080111047b0fc08d40f6d4c7017171a57abb26fc442c5831e8e

Analysis

max time kernel
93s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-12-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PolymerReload.exe
Size

1.1MB
MD5

dc5dd4bb664c7a5b89adb87740f410aa
SHA1

3530be832f3878c9227a1ca3166c35eba433bd76
SHA256

d77648c1e78a6080111047b0fc08d40f6d4c7017171a57abb26fc442c5831e8e
SHA512

e9e8813d7611c5df146f4cbc415369b288d045393ef3683fc413152aa40b3ecea34ff7cdcdf75e1f18b7a11ec48f647f65c466d154a1cbc722bf996398d8a194
SSDEEP

24576:vGqopk4iczQjL7oadlnrzZFeOhRxMTZBHNyQtSB8xwskz0aXlgq6oVxRkyLGPiWt:+qhpczQjnoAhsCvMTZDIB8x4zp6wx9E

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Signatures

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/memory/4888-309-0x00000000041F0000-0x0000000004429000-memory.dmp	family_vidar_v7
behavioral1/memory/4888-310-0x00000000041F0000-0x0000000004429000-memory.dmp	family_vidar_v7
behavioral1/memory/4888-319-0x00000000041F0000-0x0000000004429000-memory.dmp	family_vidar_v7
behavioral1/memory/4888-320-0x00000000041F0000-0x0000000004429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 1 IoCs

pid	Process
4888	Columbus.com

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2872	tasklist.exe
4320	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\FavoritesCategories	PolymerReload.exe
File opened for modification	C:\Windows\KingstonEfficiency	PolymerReload.exe
File opened for modification	C:\Windows\NovelsTears	PolymerReload.exe
File opened for modification	C:\Windows\ParticipantsOnes	PolymerReload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Columbus.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolymerReload.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Columbus.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Columbus.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4692	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	tasklist.exe
Token: SeDebugPrivilege	4320	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4888	Columbus.com
4888	Columbus.com
4888	Columbus.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 8	4804	PolymerReload.exe	77
PID 4804 wrote to memory of 8	4804	PolymerReload.exe	77
PID 4804 wrote to memory of 8	4804	PolymerReload.exe	77
PID 8 wrote to memory of 2872	8	cmd.exe	79
PID 8 wrote to memory of 2872	8	cmd.exe	79
PID 8 wrote to memory of 2872	8	cmd.exe	79
PID 8 wrote to memory of 3640	8	cmd.exe	80
PID 8 wrote to memory of 3640	8	cmd.exe	80
PID 8 wrote to memory of 3640	8	cmd.exe	80
PID 8 wrote to memory of 4320	8	cmd.exe	82
PID 8 wrote to memory of 4320	8	cmd.exe	82
PID 8 wrote to memory of 4320	8	cmd.exe	82
PID 8 wrote to memory of 4520	8	cmd.exe	83
PID 8 wrote to memory of 4520	8	cmd.exe	83
PID 8 wrote to memory of 4520	8	cmd.exe	83
PID 8 wrote to memory of 768	8	cmd.exe	84
PID 8 wrote to memory of 768	8	cmd.exe	84
PID 8 wrote to memory of 768	8	cmd.exe	84
PID 8 wrote to memory of 2324	8	cmd.exe	85
PID 8 wrote to memory of 2324	8	cmd.exe	85
PID 8 wrote to memory of 2324	8	cmd.exe	85
PID 8 wrote to memory of 4860	8	cmd.exe	86
PID 8 wrote to memory of 4860	8	cmd.exe	86
PID 8 wrote to memory of 4860	8	cmd.exe	86
PID 8 wrote to memory of 4888	8	cmd.exe	87
PID 8 wrote to memory of 4888	8	cmd.exe	87
PID 8 wrote to memory of 4888	8	cmd.exe	87
PID 8 wrote to memory of 1496	8	cmd.exe	88
PID 8 wrote to memory of 1496	8	cmd.exe	88
PID 8 wrote to memory of 1496	8	cmd.exe	88
PID 4888 wrote to memory of 2436	4888	Columbus.com	89
PID 4888 wrote to memory of 2436	4888	Columbus.com	89
PID 4888 wrote to memory of 2436	4888	Columbus.com	89
PID 2436 wrote to memory of 4692	2436	cmd.exe	91
PID 2436 wrote to memory of 4692	2436	cmd.exe	91
PID 2436 wrote to memory of 4692	2436	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\PolymerReload.exe
"C:\Users\Admin\AppData\Local\Temp\PolymerReload.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Physiology Physiology.cmd & Physiology.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3640
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 390216
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Enter" Cox
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Telephony + ..\Ignore + ..\Residential + ..\Masters i
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860
- - C:\Users\Admin\AppData\Local\Temp\390216\Columbus.com
    Columbus.com i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\390216\Columbus.com" & rd /s /q "C:\ProgramData\26FU3EKF37QI" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4692
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\390216\Columbus.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\390216\i

Filesize
285KB

MD5
d50bfc4cfc93e4a13504bac07c9faa06

SHA1
4df7f36e735e4e7c3cedeada4e9db03e92f97da2

SHA256
800c00065760459ff7a2c4ae376fc9e4f29d508002fad2f282f7f2fe65d0d182

SHA512
bf139129910e598f02264aabf6d7544f5083ac3fdaf7eec245b1399ca028058ddca7dc4e496127a035498d8390a7984ecf232d3ca86159c091937d0b5c4bec08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bridge

Filesize
93KB

MD5
ca085e5e19e253169916cb633afa2c93

SHA1
99294155640139022ec331f398521374cbebb15f

SHA256
74e2066c07e0dd365b14b8bfdc98cb01c9429828874bb6effe53aca22cb7ee58

SHA512
09e6523c3876642f23bd68c3ea54e0d6d42763a9e41efa168a731f8ea4a02852a49f69ac97bed4f4198231f2b4a60891af41d46de3a397003d53024ba7be9af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Card

Filesize
138KB

MD5
f0a36b149eb13b57f8599709ef945f81

SHA1
ba4a8b590bb2571fc68781f6c8fd158046df4e8b

SHA256
c17aaaab08817fc25a41cafdff0e372485fd643b7fa3f453a03d9425fe642d48

SHA512
27a25cde2b7ff930e836368f6e5a28602f4ac4fd74addad621da2f15d8e960ecc5c4ebcaa582939e3799f3d70483b48ef303ed1ec8177ea1f4b4eceb53431fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Classified

Filesize
111KB

MD5
262c429fd93fcfc2e4d4e3d61a2176d7

SHA1
2723e9983128d0eb156a3dd39ee982c55891e4dc

SHA256
affa77b019ce8187b97a5f69f48506ed199678e8096ebf40a88202ba8b30893a

SHA512
64825f5900e6094f9b446b352c72d6905ba9d42f29967474346d847927a5ba5a015344ab58ff9fe9db22243b41cffee72da05a0ede92b2a584ed241c8038bc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cooperative

Filesize
51KB

MD5
f499d3545caf3a627a86bb1da506a0bf

SHA1
7b5544df8d88e1aaa7474b5b6ca55267b9c1f01a

SHA256
e88b87c95a125202447b8e89ae6bce9bf457213ea2df56b9ee44dc52cf7866cd

SHA512
64830fc0d8763b295d13de4f58f535e3a96c68094f490264f2a155ee8fb66ea250dfde3079e526a2462963dc10b9b2f31b57c02e40239345bf8ab1fba2f48841

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cox

Filesize
1KB

MD5
76e4e89bf684851551fc8bd71d6ca3c2

SHA1
a717fda4d40abaffbf26ed18af5960a032d2f671

SHA256
90eccc6ea68e1d94c2c805ac08414ec52b40e2fc6f58fea56ab98b5f9ddc8261

SHA512
6446180fae5bb83943cd02c3cd9e7134decd76ab136f3ef7951e78ad8c86fe16a2d8580047a5d794835f8321904ca8ea4fa723d043e44c30d8d66e1b033414d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enemy

Filesize
87KB

MD5
be3a31e5a4a93cbeb05b408f98050358

SHA1
d888a6b68d6a1e4bc81f6d38aa6db672d3f6345b

SHA256
4aada48ba766c76478bfdfb1bede0b000516a66d12cd908b5e6e106fdf8d2f91

SHA512
4fa011fba828704609a05c6de73931282b711bf92002597fc8530e87fabd6282536f1585127fdb7f05ea5d3c0b9bc279abd7a291e5756cadf546baf7e8fe3d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Growing

Filesize
114KB

MD5
2f00a26b7d4abd72863f04bf74c4f43b

SHA1
bb7f08545e77bfe825bcbd0a3804ef6354accefe

SHA256
2100a2d794872e26355b0ebb35e20489bfe762706ec47e5ced411560853aa394

SHA512
fb80654476addf732cf3362585115380a5a4723a45f61bd35c8a47b1d5a9a839b7d0dda6e869b0fbc4e6acf085321f6b816f846c77f8459ec939d8240b381c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hurricane

Filesize
135KB

MD5
17466a3250859da0fcd50b639a581e38

SHA1
c06417abc69ed49076279b679e1e008c750afa67

SHA256
6e70c9b0e1b324bc454b0ff84b951072e6798c2ab08305ffd6b2712b3f4d5732

SHA512
7954f93b3fa3b78eb93016c879069e1be4e282201c1f2005acac47e00e118c4fc58d59c272440699797c6e2a019a15f72a5256a26588fd279c738579e54a1fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ignore

Filesize
85KB

MD5
01a4f681243d2cadc74bd9879974e17d

SHA1
85c004e8ae35c80b909d2738bb31694fb431469c

SHA256
89b17825b2e6386cdc39b0936a41313a45c406ffa58c38842124357cc5d4e40e

SHA512
95ffd5d481907c6361f09a9b2ba8765d630644f758b60834b18a6a85d90914e4b58a8abc1a22456fa4b5f395b6a19e6eeebb4fda17f6385b6b7fc4b8d3ee5821

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mar

Filesize
100KB

MD5
669374cb80d133b19215fbcf4216fb33

SHA1
cca218bad3324a2f427909f8946f73a972535baf

SHA256
ffd1a789ad8b400a1e8ab25c378df800b40458037a05a532cb385b87ada69551

SHA512
6268aea10dfb69570c3c062ab554c56f20f25f31baca58c364e47c15e50fcbf02d1e2253daf25389614f18fd47f311993036d28e3669d2c0e15bacd941da6333

Download Submit
C:\Users\Admin\AppData\Local\Temp\Masters

Filesize
69KB

MD5
15153a8f88836a0894aeb0cda8eebbc7

SHA1
b3081cd10449186a6b530d33a6af07e0b605a0cc

SHA256
ba83e9b9334670c1e4e4a57799093764f4752794e04526522445225ada497862

SHA512
b7375272220dd4065ce70ec8869a0f2438cc1b5358eff2d376432e2576444ad9151c5030fec11eff85e35f7b1dd87376424455e1129301e354479e2f70cc5efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Notebook

Filesize
94KB

MD5
75b34ad87ca3d160c6f0f13a095a0208

SHA1
c7aa80a1121bbe727c1606d085a80cd32df74afc

SHA256
2277b91195da657200c3acc57549947386b5d259f5b5df53670018609555ae54

SHA512
cc7741310d487b2731ae8efe8da8ebfb72650f63b94df7416303ccd090535d98ce96670361108f72d6ae7b4e2f6f23ab74d4c7b8d4e2d633fd210cb5e88af3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Physiology

Filesize
11KB

MD5
a1bedd2aba677e9860ae8c479493dd3d

SHA1
147f198fbcab5bd8f8a7e692419008e441009311

SHA256
27df28d589676374d7dcfd74c61a09271983a2ef35e3f99bda8010466b45fd32

SHA512
eff4342247bfb25cf8f26ab336582c85b6beb89b38aacd4195beaecdee059fc4abd00be196e5ac0e592de22c4e4ddd68c4dd18180247cd6e989fb302f0380025

Download Submit
C:\Users\Admin\AppData\Local\Temp\Residential

Filesize
76KB

MD5
2bf504f0f2152a7c1dbe41e84ba8f161

SHA1
48d5766f8e45de643ef813a6c16ee8987e57ed2b

SHA256
baa6ef1aed55fe08d07817920242ab42fd92d2491a8c5109dc3d7ff3553a3fc8

SHA512
1290c03543ec6c9289bfafd102316f9541422afea48697b36b522bb6ea3294ca88292c57c9b0cc2dcb47bbfa3ceb9c67c106ec38e11a10804e03c2a7faf15739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Telephony

Filesize
55KB

MD5
7a492c1ee6f21e5cdfb7da8aa9386388

SHA1
c64be5a5a31f704b8328d67440e22ec5c3d1e8af

SHA256
030847c8d85d6faf5ccfe613d606eb6565d089dc2ac223a5193e97217b49d069

SHA512
5213dd4d03f029be7ae9871a53ba111bcad978f634941ec85dd24eefe564f14d3bc1500996009d135add02515fae37eb4b0d51c006ea5fee001997c962c03892

Download Submit
memory/4888-306-0x00000000041F0000-0x0000000004429000-memory.dmp

Filesize
2.2MB

Download
memory/4888-307-0x00000000041F0000-0x0000000004429000-memory.dmp

Filesize
2.2MB

Download
memory/4888-305-0x00000000041F0000-0x0000000004429000-memory.dmp

Filesize
2.2MB

Download
memory/4888-309-0x00000000041F0000-0x0000000004429000-memory.dmp

Filesize
2.2MB

Download
memory/4888-310-0x00000000041F0000-0x0000000004429000-memory.dmp

Filesize
2.2MB

Download
memory/4888-308-0x00000000041F0000-0x0000000004429000-memory.dmp

Filesize
2.2MB

Download
memory/4888-319-0x00000000041F0000-0x0000000004429000-memory.dmp

Filesize
2.2MB

Download
memory/4888-320-0x00000000041F0000-0x0000000004429000-memory.dmp

Filesize
2.2MB

Download