vidar | 13848f74c576b1624b6b64dd556791a7b40b7fee6a0fa7ea6ce3f82c8cc98b2b | Triage

Submit
Reports

Overview

overview

Static

static

gg.ps1

windows7-x64

3

gg.ps1

windows10-2004-x64

Sharing

General

Target

gg.txt
Size

1KB
Sample

241219-ththnsvmhy
MD5

4c1d5a75dc7dbff21097fb5a63bedfec
SHA1

d3a9435b41227be9617e472adbcc60c93a970c1a
SHA256

13848f74c576b1624b6b64dd556791a7b40b7fee6a0fa7ea6ce3f82c8cc98b2b
SHA512

74770ffea4ef1b427a8dd06b61f2f11990cce7034ee29fcb29d5470c5628338aec6454503e7592b4c75e5fdac3f21f5e5a1f12c6b57c972cafa70bc558705968

Score

10^/10

vidar credential_access discovery execution spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

gg.ps1

Resource

win7-20240903-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

gg.ps1

Resource

win10v2004-20241007-en

vidar credential_access discovery execution spyware stealer

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://polovoiinspektor.shop/PolymerReload.exe

Targets

- Target
  
  gg.txt
- Size
  
  1KB
- MD5
  
  4c1d5a75dc7dbff21097fb5a63bedfec
- SHA1
  
  d3a9435b41227be9617e472adbcc60c93a970c1a
- SHA256
  
  13848f74c576b1624b6b64dd556791a7b40b7fee6a0fa7ea6ce3f82c8cc98b2b
- SHA512
  
  74770ffea4ef1b427a8dd06b61f2f11990cce7034ee29fcb29d5470c5628338aec6454503e7592b4c75e5fdac3f21f5e5a1f12c6b57c972cafa70bc558705968
Score

10^/10

execution vidar credential_access discovery spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

vidarcredential_accessdiscoveryexecutionspywarestealer

© 2018-2025

Terms | Privacy