vidar | 33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe
Size

865KB
MD5

e7c964e5bd52da0b4ff1e6543608cf27
SHA1

b369051de7f7bdf58411fb604eef85507965abf2
SHA256

33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48
SHA512

651dd8f2fc6c4e0c479a03111334b054a0ac0c466256e48880c5a27ce77ef0900bd9ccbe7c16607b1f4c9fa3efc4b387ddc3b371c415715025bc188fd218eb48
SSDEEP

12288:gCxr3SAoHl8uj7c8BNV0CW9TBBMtVIN+9exmPh0LguCifyV03qGs7ifbVpBgYeSa:gcrCAY8uj7nGPFLWVIN+9e5iUDTq/Shk

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/2852-614-0x0000000004460000-0x0000000004482000-memory.dmp	family_vidar_v7
behavioral2/memory/2852-613-0x0000000004460000-0x0000000004482000-memory.dmp	family_vidar_v7
behavioral2/memory/2852-612-0x0000000004460000-0x0000000004482000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	Surrey.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2936	tasklist.exe
4460	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EscortsNascar	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe
File opened for modification	C:\Windows\NavyPromising	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe
File opened for modification	C:\Windows\HonoluluSyndrome	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe
File opened for modification	C:\Windows\OxfordPrintable	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe
File opened for modification	C:\Windows\ViBases	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe
File opened for modification	C:\Windows\ImmediatelyBros	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe
File opened for modification	C:\Windows\TransferRare	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Surrey.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2852	Surrey.com
2852	Surrey.com
2852	Surrey.com
2852	Surrey.com
2852	Surrey.com
2852	Surrey.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	tasklist.exe
Token: SeDebugPrivilege	4460	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2852	Surrey.com
2852	Surrey.com
2852	Surrey.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2852	Surrey.com
2852	Surrey.com
2852	Surrey.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4892	4544	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe	83
PID 4544 wrote to memory of 4892	4544	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe	83
PID 4544 wrote to memory of 4892	4544	33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe	83
PID 4892 wrote to memory of 2936	4892	cmd.exe	86
PID 4892 wrote to memory of 2936	4892	cmd.exe	86
PID 4892 wrote to memory of 2936	4892	cmd.exe	86
PID 4892 wrote to memory of 1944	4892	cmd.exe	87
PID 4892 wrote to memory of 1944	4892	cmd.exe	87
PID 4892 wrote to memory of 1944	4892	cmd.exe	87
PID 4892 wrote to memory of 4460	4892	cmd.exe	90
PID 4892 wrote to memory of 4460	4892	cmd.exe	90
PID 4892 wrote to memory of 4460	4892	cmd.exe	90
PID 4892 wrote to memory of 4144	4892	cmd.exe	91
PID 4892 wrote to memory of 4144	4892	cmd.exe	91
PID 4892 wrote to memory of 4144	4892	cmd.exe	91
PID 4892 wrote to memory of 2376	4892	cmd.exe	92
PID 4892 wrote to memory of 2376	4892	cmd.exe	92
PID 4892 wrote to memory of 2376	4892	cmd.exe	92
PID 4892 wrote to memory of 1444	4892	cmd.exe	93
PID 4892 wrote to memory of 1444	4892	cmd.exe	93
PID 4892 wrote to memory of 1444	4892	cmd.exe	93
PID 4892 wrote to memory of 2712	4892	cmd.exe	94
PID 4892 wrote to memory of 2712	4892	cmd.exe	94
PID 4892 wrote to memory of 2712	4892	cmd.exe	94
PID 4892 wrote to memory of 4472	4892	cmd.exe	95
PID 4892 wrote to memory of 4472	4892	cmd.exe	95
PID 4892 wrote to memory of 4472	4892	cmd.exe	95
PID 4892 wrote to memory of 4240	4892	cmd.exe	96
PID 4892 wrote to memory of 4240	4892	cmd.exe	96
PID 4892 wrote to memory of 4240	4892	cmd.exe	96
PID 4892 wrote to memory of 2852	4892	cmd.exe	97
PID 4892 wrote to memory of 2852	4892	cmd.exe	97
PID 4892 wrote to memory of 2852	4892	cmd.exe	97
PID 4892 wrote to memory of 2276	4892	cmd.exe	98
PID 4892 wrote to memory of 2276	4892	cmd.exe	98
PID 4892 wrote to memory of 2276	4892	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe
"C:\Users\Admin\AppData\Local\Temp\33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Universities Universities.cmd & Universities.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1944
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 634977
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Gtk
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1444
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Constitution" Wagon
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 634977\Surrey.com + Firewire + Values + Expanding + Representing + Gothic + Voltage + Refinance + Nec + Kate 634977\Surrey.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Courage + ..\Remove + ..\Throws + ..\Competing Q
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4240
- - C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com
    Surrey.com Q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2852
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\634977\Q

Filesize
254KB

MD5
18d6ca5cd4425b2a59d0204845b3a313

SHA1
d40789e751f1df3d8b4a3589e3c0e46c73734982

SHA256
00f9508cfaa49cb06d23a766bcf7400a01d520e9c59ded5ee432445433dc92a7

SHA512
29d8a710c8268b73b131fb4b1e4a468d147664b0dc1e798a841b41ad205c388a19decc0e32afc35a3f5c507240b9b0aed079f862883e443191b71e3e76ac0c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com

Filesize
1KB

MD5
721798d5e898f7bf619731c63ce0f70a

SHA1
faf26b79b845215e5c82de71c599bf8f684ce196

SHA256
b4b3304e8577321119e5fc17941dc840d0c404ef23c901ca5dcb01fc107c860a

SHA512
6977c1fd046f727917ea195c85cc825f2a1aec1ae49a239c0dce8182c6d9f251b700927ed1c99000bfd1a21fe75e2b18c76939a440a57afb49f736eb3d215954

Download Submit
C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Competing

Filesize
43KB

MD5
d746b31bfc276902000f23e46ca7e00b

SHA1
28dedd273385b424355907e3b894564e384f4059

SHA256
abc00f6ea9b8e1cc8088ea704e592037fea434afd5fff489d90c30611324975b

SHA512
a5c3c89b5ecb45252a54bc720e0e03486d883f49b2403d0ca045a385d0853f90d1ffab15b5115d43afb273b66fd8cc0786a99244103bb79966ea9ef63d38fd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Courage

Filesize
84KB

MD5
7cd4bd9c45027736143df559673df306

SHA1
4080a3c2a9f6444185c1525fe4e619a2fe9f5576

SHA256
3b60082174b17222df87b064230a32fcfb079f9f2721bb0b5b7cd59111a45548

SHA512
05ca2a3abc8cecb2abd78cba89a46e41bff3f881efd57dbfd0adc079347de1f605121689e75c5aef2a545e40e1400c74193084b9055372e1ac8a886e23df5d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expanding

Filesize
56KB

MD5
fb1683f53f13b7dbe5db3aef09074e67

SHA1
04542e61c4f24a07e5fd2d24a093edf8bd5b0f59

SHA256
bb782d6a6b5a646a35eaa0ec09e17e48dbed725ec4e4b21358fa085f76baad65

SHA512
db7621e490a5a3886f63249e566a7d44a3b76c1ea61a936b3dbe90c9e59a2fed573d13122ce722a776ea58c04648691f0aecb992bb8cddc82cbf35912047b064

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firewire

Filesize
144KB

MD5
c6a95332417fbff1a331f58887c76a59

SHA1
f6661b22a4fbb12ad6cb3604018d680c21326ac5

SHA256
6c7f3899ebb6a5a63cf289a24cb0347f9b7b2183d6811addfab51b9b9f34d81e

SHA512
dd178687c6088259c2d441c61dfc53e7568227c0627976f65ab483bca58a2a5787b109a6580aae4b2901cca1d0fa4c61987ee971f350d409de030c5f3fcf0746

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gothic

Filesize
113KB

MD5
b24851fb189761252c2e60157aa349e9

SHA1
1c8950ab3ab3476f22ea451bf2d1d4c04a4b6e3b

SHA256
04b3af982173bc42e37ed4145162a79abaccef1914996fbde18aa377ee75f45d

SHA512
e08e4410b44dbf8264c71d17b3e24b38a0e0b5bd22d836eb617cfee89d0786af26f64b4ef862a1f9f4bf385ca49f1f80bffb4898d71b98f043f143c0377c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gtk

Filesize
476KB

MD5
7a6e2b31b9bf017af1dc514571165556

SHA1
30175d44711a4fae5de3783bb38d2d3dedb549d6

SHA256
5cbd6b08d52bd78a8d6fd160ff78005c194e4a356036a43af74bb01fb347f479

SHA512
3f9f68a4fa9e1dc5e2d2971c53e4f505c0171bc89566d793a328d34fe02a703101002bb55260f2b29d673e4910da34c4fb4b8d8817641a376ae0845e6b442927

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kate

Filesize
46KB

MD5
a0dcdce55a0627816c76cd3461759e39

SHA1
48e473e8e049f3ac258a629a3e6e8c6c5fc64867

SHA256
b395934f2de31fcb8309f6a5cba3d07cb5122380117d11b1f681c2d7c2b79976

SHA512
4721cbaf1e921fb4525b92e38b42b6370330e801b987b6a8fad1d78ad03fa480faaa8766566d47176eb2668aec7c70926ec3156f9a18e514838a9ade7b6f1858

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nec

Filesize
126KB

MD5
7607db05af8586a80dade4c8f1a86ad8

SHA1
54caefa7ddedc91c34b600f9b41be61593c56f68

SHA256
ca5148eff2fbb467e84ce97caff533293a07d8e76185feb4415736ef77502006

SHA512
e07bf419fc3526714297182e33f55f33f3f5848a549dd61399fc6f1d3a2db812a16b70898da4c4fa4ff6fcc747e32929318b2d8f1868b5e741706c15df147ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Refinance

Filesize
147KB

MD5
1fc300e7b135f7417a1978b287c3aed9

SHA1
70dcbfbfcd51fcea6f9ac25d00b3dfb000117b3f

SHA256
c7257e587eab697f7dd09f02193af3f6a9c1c4f298aa36182b574ac44dde65e2

SHA512
58a87e857a37641bff32687e68297fd51bd781b906b1ff629ff061bc57c69e6de6c14e9f9b0c41754639a0a60eeb1d0d1157c90f20342ef00c4ba5e045b07c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remove

Filesize
53KB

MD5
cc5fffb779a4f41e56566a7012584961

SHA1
51097e48414b2964cae865a5f6242277de41cd22

SHA256
80d298fc901763b121b1055474882f2dbc39023a90b2a07880917528ccefe710

SHA512
af32a70365feb383f4c3396a419cc7a79729b96a8fe77abc93c36d1d6d55757fc8fd51b8cfda7862f4512fbac375d94e6018793371cf98321f304cd68296e9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Representing

Filesize
131KB

MD5
f100c01d94625f55d67b50aa1e5de126

SHA1
273ac1108a9fce76270344b8140ebf30e1931702

SHA256
f726fe147bde8e66309e97ffc5a17bafb950e11552d41033b5f4d54b0df882f7

SHA512
082c22938fc0b45287cc096d0b0e6b85e37111737af2d38d91f96e2ebd80406127dfc6fe7d28fc96708b48c1c294ea6837c938e65489247b5017804a0d6008cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Throws

Filesize
74KB

MD5
2331dd69e6c3c1ecac03980021baa6df

SHA1
8f10c41f00e379c88e729b41641fd463833a0376

SHA256
3254c74935f6680e0236e1e1eba86001049c09cc2e13872d15da14850a608288

SHA512
45974b138ee7ba4a1560f3ccfa4223b44f1787b536005e8d1ebd97eba9a7dc7da1baf68b42e2673da87cf2d0473c731a7d85feb865e3b249648ebd624edccb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Universities

Filesize
25KB

MD5
ea5bb74e17f13a38198f152786e83aad

SHA1
39d4cd7c660a4de6aaab32365c4d557bee3f1e14

SHA256
6d85d7c342a3ba28411fa4c69983cfceea5df9c70835444052704644edead06b

SHA512
35d659b2c0571b7bf1de8e108f534faf14c66a03b27c2c49a8fa07369af7709a54351daec57a08142389fab575fbaaa9109405ae82096ce69826b61fb1e096b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Values

Filesize
105KB

MD5
ded93e90f58e2c9626a72ed4ba4404c2

SHA1
b8422e7d6714ebe06f2e0187fc3b50db32cd9a40

SHA256
5e95b7f0f61956416e514698ee7bc6adefaaf321276940b947ea4fce7b2df28d

SHA512
c7e0d00b1d286ced2d4598865f16a4ebd038295f176690421574d180cbe41e709af0808ff768d4e6f8c4f7691a1bc762b8cdf6b604def6742f13f2a255340a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Voltage

Filesize
55KB

MD5
8efbda5bb6164a66a1f120d8930da11b

SHA1
a1015e9d7078a246be522ac4b35f52a607c17782

SHA256
9104124ae4ad1d8c695959c01373d95e256cc15f71425b08d1f62cec180ac6f2

SHA512
c5d98d8d55265aca328b37018a836652dd2c9926c479950b9bf1217db761fec2d992e5daf64ec82f3322f891f2a2909fb2d78a0ad197458fe928b3f369c33b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wagon

Filesize
1KB

MD5
aceb4987ea23e89dc0ff759872b4150b

SHA1
d0afee14ceb4cd5b5b8a312fc59375099915a415

SHA256
e5c79f935df843f966f156b4af4f8705f43b51107ff046272bfbccbf2914be94

SHA512
26d1d78914e018bfa54be1bf347c1265e2b3009a1c988e43ac499644770a6b771dd427d0cf5c89c902e3728967feb6e96493f37da34c3ba8cfd86de8f9fda253

Download Submit
memory/2852-608-0x0000000004460000-0x0000000004482000-memory.dmp

Filesize
136KB

Download
memory/2852-609-0x0000000004460000-0x0000000004482000-memory.dmp

Filesize
136KB

Download
memory/2852-610-0x0000000004460000-0x0000000004482000-memory.dmp

Filesize
136KB

Download
memory/2852-611-0x0000000004460000-0x0000000004482000-memory.dmp

Filesize
136KB

Download
memory/2852-614-0x0000000004460000-0x0000000004482000-memory.dmp

Filesize
136KB

Download
memory/2852-613-0x0000000004460000-0x0000000004482000-memory.dmp

Filesize
136KB

Download
memory/2852-612-0x0000000004460000-0x0000000004482000-memory.dmp

Filesize
136KB

Download