vidar | c3aa0f5b7adb69290ddbbe8e2de12caea86f8b9fbebf7325ecde0405c4b99253

Analysis

max time kernel
13s
max time network
24s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-01-2025 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nix2crack.rar
Size

48KB
MD5

094884b9bd8de44ed4f4216bd44bd1fc
SHA1

15addd9c07a7f315803001649864516a5885d862
SHA256

c3aa0f5b7adb69290ddbbe8e2de12caea86f8b9fbebf7325ecde0405c4b99253
SHA512

8eefd1da51fd81c6d1cc12ad7a796e713648ae51f676b282c05d9e272fb38343669a13fa4b92cd5b4c26db5853d9c50014cffe03c4ccc4f628ed599dc5198ac5
SSDEEP

1536:WdV7jJZPDJNFc1f6E4M1mE1g6bk7pNEbIdJz:WdVfLFuAE1gcODz

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0028000000046190-4.dat	family_vidar_v7
behavioral1/memory/5352-11-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/3240-25-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1232-37-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/3752-51-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/5352-58-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 2 IoCs

pid	Process
5352	VacBypassInjector.exe
3240	VacBypassInjector.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VacBypassInjector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VacBypassInjector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5720	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5720	7zFM.exe
Token: 35	5720	7zFM.exe
Token: SeSecurityPrivilege	5720	7zFM.exe
Token: SeSecurityPrivilege	5720	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5720	7zFM.exe
5720	7zFM.exe
5720	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5720 wrote to memory of 5352	5720	7zFM.exe	89
PID 5720 wrote to memory of 5352	5720	7zFM.exe	89
PID 5720 wrote to memory of 5352	5720	7zFM.exe	89
PID 5720 wrote to memory of 3240	5720	7zFM.exe	92
PID 5720 wrote to memory of 3240	5720	7zFM.exe	92
PID 5720 wrote to memory of 3240	5720	7zFM.exe	92

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\nix2crack.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5720
- C:\Users\Admin\AppData\Local\Temp\7zO85630067\VacBypassInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO85630067\VacBypassInjector.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5352
- C:\Users\Admin\AppData\Local\Temp\7zO856F4887\VacBypassInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO856F4887\VacBypassInjector.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3240
- C:\Users\Admin\AppData\Local\Temp\7zO856DC3B7\VacBypassInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO856DC3B7\VacBypassInjector.exe"
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\7zO856ED1B7\VacBypassInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO856ED1B7\VacBypassInjector.exe"
  2⤵
  PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO85630067\VacBypassInjector.exe

Filesize
119KB

MD5
4c347d917a8377f19cb89a3aa94a94d9

SHA1
be2b5cd59c09ecf8a779197ca88ebb6722427159

SHA256
c6638f4e793b808e87b9b4a8c546a28c3bdd7f5b5eae2b33dcae7402a69f63f4

SHA512
4f0911229d1523630a07b46d1fb4249b48d3284f04f541668fb4f0d7762567f90304202a6785688712da70d28ea4554e7a229b1a0a9d4b20192a6f766b8ec15d

Download Submit
memory/1232-37-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3240-25-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3752-51-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5352-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5352-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download