vidar | 66028849a2e0c56e20bc6c17e7acf127cb7da54b8ca1c0eec303fbae79c72888

Analysis

max time kernel
94s
max time network
126s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-01-2025 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

989KB
MD5

f2432fdb07cac95c4481843ff0e77fd7
SHA1

edc08e196ee4ca14f9a57baeab6723cb42118ce3
SHA256

66028849a2e0c56e20bc6c17e7acf127cb7da54b8ca1c0eec303fbae79c72888
SHA512

a57c50ec93e8bab6c867866b382a1b467fa151da1f0d080a4c6fc8084f65e3d49123ea2e238ae43b3c0f685a77d860b71218682835314890652ac368631d9a3d
SSDEEP

24576:KU/4804Y0vqB0iIHTmjtghDrE3+Zu8BKghhTMveogJiEOB:e8FgB0iQCtg+b8KAZI7j

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Control Panel\International\Geo\Nation	random.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	Avoiding.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
976	tasklist.exe
224	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DpInvestigated	random.exe
File opened for modification	C:\Windows\PromotionalToken	random.exe
File opened for modification	C:\Windows\PropeciaJoan	random.exe
File opened for modification	C:\Windows\WestCornell	random.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoiding.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5068	Avoiding.com
5068	Avoiding.com
5068	Avoiding.com
5068	Avoiding.com
5068	Avoiding.com
5068	Avoiding.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	tasklist.exe
Token: SeDebugPrivilege	224	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5068	Avoiding.com
5068	Avoiding.com
5068	Avoiding.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5068	Avoiding.com
5068	Avoiding.com
5068	Avoiding.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4884	4840	random.exe	83
PID 4840 wrote to memory of 4884	4840	random.exe	83
PID 4840 wrote to memory of 4884	4840	random.exe	83
PID 4884 wrote to memory of 976	4884	cmd.exe	85
PID 4884 wrote to memory of 976	4884	cmd.exe	85
PID 4884 wrote to memory of 976	4884	cmd.exe	85
PID 4884 wrote to memory of 4524	4884	cmd.exe	86
PID 4884 wrote to memory of 4524	4884	cmd.exe	86
PID 4884 wrote to memory of 4524	4884	cmd.exe	86
PID 4884 wrote to memory of 224	4884	cmd.exe	88
PID 4884 wrote to memory of 224	4884	cmd.exe	88
PID 4884 wrote to memory of 224	4884	cmd.exe	88
PID 4884 wrote to memory of 3196	4884	cmd.exe	89
PID 4884 wrote to memory of 3196	4884	cmd.exe	89
PID 4884 wrote to memory of 3196	4884	cmd.exe	89
PID 4884 wrote to memory of 1340	4884	cmd.exe	90
PID 4884 wrote to memory of 1340	4884	cmd.exe	90
PID 4884 wrote to memory of 1340	4884	cmd.exe	90
PID 4884 wrote to memory of 1896	4884	cmd.exe	91
PID 4884 wrote to memory of 1896	4884	cmd.exe	91
PID 4884 wrote to memory of 1896	4884	cmd.exe	91
PID 4884 wrote to memory of 1964	4884	cmd.exe	92
PID 4884 wrote to memory of 1964	4884	cmd.exe	92
PID 4884 wrote to memory of 1964	4884	cmd.exe	92
PID 4884 wrote to memory of 1700	4884	cmd.exe	93
PID 4884 wrote to memory of 1700	4884	cmd.exe	93
PID 4884 wrote to memory of 1700	4884	cmd.exe	93
PID 4884 wrote to memory of 2896	4884	cmd.exe	94
PID 4884 wrote to memory of 2896	4884	cmd.exe	94
PID 4884 wrote to memory of 2896	4884	cmd.exe	94
PID 4884 wrote to memory of 5068	4884	cmd.exe	95
PID 4884 wrote to memory of 5068	4884	cmd.exe	95
PID 4884 wrote to memory of 5068	4884	cmd.exe	95
PID 4884 wrote to memory of 1948	4884	cmd.exe	96
PID 4884 wrote to memory of 1948	4884	cmd.exe	96
PID 4884 wrote to memory of 1948	4884	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4524
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 36469
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Geographic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1896
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "TEAMS" Mw
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\36469\Avoiding.com
    Avoiding.com L
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5068
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36469\Avoiding.com

Filesize
883B

MD5
e0462728d10a4c7e8d24bfe5ad14f4a5

SHA1
fcf827f4b02b7c5f9dddde21c087e5a632cea127

SHA256
b5db3690caa60ef9abd11d6e1f520705a61a981b6bcedb3cabd4652b9457f513

SHA512
028959647176f312a826df7ce7221425490d7f0c983a9019b7920e4a96479af7d9bf5189426f06ca1b1ec7dfd5a912b6149fe7d1fd04a44d2913939ac31ce596

Download Submit
C:\Users\Admin\AppData\Local\Temp\36469\Avoiding.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\36469\L

Filesize
413KB

MD5
5cf075139dbea15b8d43466ad0f462e4

SHA1
2c18854036f47dadb15721e7925a92f3157d911d

SHA256
93e87c6385829e6878efe848522582accf79ef306011e4c7ff4d5b414aadbac7

SHA512
a959c6fedb08b6064d3cbf6b8ad54b498405a52677d625a12a89b92268fb051df15cd739d6eba2e4436731ea0a25626e4d101d76472ae90ab7ca72a2d5e69ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Additionally

Filesize
121KB

MD5
196184062f217b1ee4bc3e1cd082194d

SHA1
d4f2277fad9f7152080468fc6426f22066afb969

SHA256
0db963dc202f62ddb40eb1b44133e2959c1986aefa60558186d026e3e73dd036

SHA512
8960df9dc8648b0720d242402019f122ce5e7d82b8a8bd08bfce9ae520147311ef47000b37e52ec7489d09461487573962661c3322102b6003ef7a6aa3b0a4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arbitration

Filesize
65KB

MD5
51ee3b59f2d75aa8436410e472797414

SHA1
fca65fcbaf05c853ade0e4a64e7ac393314b6b65

SHA256
8fa4002810e0dc5c3ca384b54e93a49eb21a3b1fab6700bf6b174740053f0a7f

SHA512
7245c7818b8cbed42387601ad5d0fb2e82549e95e903b240d73545a56e9e39c2db7dd44da3dcd476b1e454162d8e5b5be53cccda9893a6826b600b8c67177340

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celebration

Filesize
140KB

MD5
70b49061d3d2d035923b2fae2603027a

SHA1
8d2c2a7436d6a402ae6dc0eb94bae4bd19aa00a7

SHA256
04261ebbdd3d5868d5b9d14bb3d3b83e8ed2324df8116e8711aee0e5c8d87ba8

SHA512
d01f59d53dadbd5e0a1c4c6fcb9bef7cc0cf085bf17befa2e6b3ec3fedcb99667fa765852a6f9b68fd9bcf6868ca401340f8f96519ee3370a3221ebdad56f01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Centered

Filesize
87KB

MD5
065c79bd87ba612fafed19e46292461a

SHA1
47c22b8ee2a6c1895468b1558565f05c6e8fde1b

SHA256
ff53bfada5b1e72d63e014418a3b052c6b86f67cc45838e4fd508db333bff841

SHA512
754c4fcd369c97fb26f88d887cffb9cec2e9f185b19833e6e4e48e518f76abae09095150dbd034c2b73cc20f93ff4b829ec05ba1a5c7cf16c60712b8611ab5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Characterized

Filesize
59KB

MD5
2acc9e4a4f9b36882016df4c6b92a452

SHA1
cf2b86540ce24890f57d463ae29f21fb27eb8d0f

SHA256
feb0396ec05cf74b1a30fb37fdc521abfaafa91977dc915d3a3c405dba98c3e2

SHA512
12c9f46483d6c9779327e9bf0490392fd1b1e3b9a4e9463b1a464d4f13ed4d2270ca406abcde409da11247be2c43acf2eed364bb868244622b257b33990a0576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Collectors

Filesize
149KB

MD5
24ec42bc2e49e4704b8aa605c4867d8a

SHA1
9666c7ee196a51322a2d8742d27dc8798a172387

SHA256
04b613ab931f6f1d710dc7afd26a67374804524f55635ea5247e1d2f507cb422

SHA512
60fb14406708394352c74db29106a768a855cba6f04f55c021ea7908042cf90b73455c3ad2ecde1ba7e07f1949c416cdebeb12ee203450143c5baeb1b3a3b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Comics

Filesize
91KB

MD5
9506a47c8180beb01080feb604f759b8

SHA1
a91c6b59781c7e927f5eccbd78bffdd2a6f089a8

SHA256
16181729d36a55187fdc0676eb947cdf9e76f12fa0a26cb9751520efbe5faf71

SHA512
7c845effb688a24b9361c7c42bbc1386b3c04a9c22d689840bccbefdf3c4362ed70ef0ee3029671969c04eb321f319461b260f6de5ebca0935bcc917a26459c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Entries

Filesize
62KB

MD5
5350fec9430141a588801bdebd3d1e55

SHA1
bc0896edc7909334f6a48eb1ef1c73b7affcc9fe

SHA256
fb7ba0e0d9d7dfa6c6d2ee945bea51790611fa2b826db36ced6f5599cb7b0773

SHA512
3432f6d39813605cd33045c1c2773626c010827e5b019e652d5c1fc06cd72bb98024e7d0cf817656142a1ef57b8ba195b1350399de78f661af98549b44fcbc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flesh

Filesize
60KB

MD5
ef7e28192889b4b827fba17d8b4f0df1

SHA1
5c839a9769a736edaf69425fc13cef95a6cd9317

SHA256
a6fd8b35bd97fe198ac52518bf8f77a7bdf86fed87b344acaa0ee85d4d196f1a

SHA512
97ec984d3210f04bd82eddf41beac0cd2e1bc7806c2cf1797ae832b074a34f675c8239fdcf952ad404ed3c9021b1cd59c0dad54aa3ede5339ce1a628c866c149

Download Submit
C:\Users\Admin\AppData\Local\Temp\Geographic

Filesize
477KB

MD5
e5ef57c22315cd79a41923a265f75376

SHA1
8b7c2aa87dca8e636269c3e0b7b8db63ddb63cfa

SHA256
e3472bf000389ea74a7bc8b4ee93e39870558782844062d6c42bcc6fb691271d

SHA512
99e9ac97e65dd459afd4d57143645c5fa74e7570ee293fe76932635f194ab7e06884672beb5dc6f5e93fad30d9219a8927dda23f4239fe246027123c42d6b4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hood

Filesize
65KB

MD5
36875cf20a093095236cab0b17b682ec

SHA1
3efdf8c68a6868e5a1da64c93e1b2fa67f914f9b

SHA256
3f080fac1fa9b856a7d5c0e25eb26426d0fc2e7f7c6dcaf2fc428bd12e92d41e

SHA512
b40e640e057da5a76c023402d392a0e58bea3ac05f7ca6f49edfb1a7f38f17414638a24012f4cb74dc5e7151b17edda3c285b4d1620488c8926e4c5a4d78ffe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Investor

Filesize
13KB

MD5
aa7e9623ffdd0567d6b711dfa8a49791

SHA1
f1e12bf3a2ee0d42c8660a51832faf87e6150519

SHA256
762b8c8342c4ed0550d9b59b04582265197145e7cf37d6063d50e082aab86648

SHA512
e277089303d6c58c8ca1deaec46aecb543318968f8af8074988b6d724e0cf598ff548548c44f6b439b040f11de639a6613a3315796948dec311f636282309fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Japanese

Filesize
65KB

MD5
6c3bf929703cde7fe854d3ed9556557a

SHA1
8b3811720f4a4823052f5cdddb39fed519796d22

SHA256
2a30a1bfbb6fabd6a810ecfa48d4d231ef2635861f2e628626e436f5f56407df

SHA512
66f8278ddb15154bce7a62c87fc26c9cfd7f6814752fc250ea77e05d862787ec65883c00cbc8c008fecbcc5a94a9e52c293f00d3d2f990b07a4270e53ac18c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mw

Filesize
888B

MD5
84565538c82eef249bc5e4956307f274

SHA1
187e5c2697d4c50d15f07a8b3a4090cf35cfdb12

SHA256
c5d1c5c0915562f4800560449658afad60874297a51b4513945657fb38ec6d68

SHA512
6ed9b60a88edd475783aa0188821b6310045502713eb4d890bee5fe074458ddfbf816fde6f14985bb1789e6a168465eaf0c083dc21ed3726ec492658dca16e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Put

Filesize
71KB

MD5
61759b9899af7d6300bcd4d6ee9acf56

SHA1
570f7b32573e3f62efb8a060f21690339cd419bc

SHA256
c45b275d05e38ed38703650602e5ffe5fba338973d0a6806ba34d4533b7e8cae

SHA512
19a4ac84b7dd8ff201d2526e79d0ca2776363946af8f8f6a782c120124a45cdab778f9d747582d8cf3f01b03c02a107c4e622756ee469c7b91ab90e1efc6db49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ventures

Filesize
100KB

MD5
5a93e026f0bc5713cc26b060432cdca6

SHA1
a8790c3b716791cf6d59845298c0c91f05938d4f

SHA256
9179d0812aafa0fa28fa0eb7ee7048a302c2a3ec5bd2bc49b973e6fa6900574b

SHA512
58a5660c43a9a91a81fa826f1691b48ee309fccea00bfa894af1846328a2875b8ec31ec70e48cbcb9d57b480fa526dbdddde2bc7fb9babc1274d80121aac3a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visual

Filesize
116KB

MD5
50432200eb96bb2058eeb6e2337ebae7

SHA1
d9ecfa9f8db22dad0fbda2b8aec19f31014e55bf

SHA256
5f2b07379e1cc5057bda4a95aed04480e4f9decae9ae5e31552ed27718db32bf

SHA512
c046be6c12f35b4994a04354acae1d1d2b4767fb2a8367fc1562f0f081e17f987711c5b48474fdfa056f67e78234ed75559f0584c8c07a7110b0aa475ab1c111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Waters

Filesize
86KB

MD5
1e25271864651ea0707db49bbb61ee73

SHA1
6be32ffe7a33eb729479c63275e763816c8e0daa

SHA256
48a46cf4324f5ee8fca1e3a0151f9d3a9de7ae87807e69a4a90752494896e491

SHA512
8bb2df224358e5736474546ac38f05d548569a3148edc91bf9ea92767340d840088eef7670b946cf760389f57585ec9d240120c5176f433a05376eaa4788f1ac

Download Submit
memory/5068-65-0x0000000004900000-0x000000000494B000-memory.dmp

Filesize
300KB

Download
memory/5068-64-0x0000000004900000-0x000000000494B000-memory.dmp

Filesize
300KB

Download
memory/5068-66-0x0000000004900000-0x000000000494B000-memory.dmp

Filesize
300KB

Download
memory/5068-68-0x0000000004900000-0x000000000494B000-memory.dmp

Filesize
300KB

Download
memory/5068-67-0x0000000004900000-0x000000000494B000-memory.dmp

Filesize
300KB

Download
memory/5068-70-0x0000000004900000-0x000000000494B000-memory.dmp

Filesize
300KB

Download
memory/5068-69-0x0000000004900000-0x000000000494B000-memory.dmp

Filesize
300KB

Download