vidar | fc6004bd1c0e5fa19b08be45583a7fbc75f732df1467c722e8c52aa58ef1a9f1

Analysis

max time kernel
40s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2025, 22:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Setup/SoftWareGX.exe
Size

10.1MB
MD5

c57c72458776a0b6a653f6c828c229f2
SHA1

2f993c6a8499b360dec51240d0b6c5faff561c80
SHA256

d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
SHA512

5678f7bf398e944d9d60876cb3dad8114c0ea71604488c72ba0f0e552629c5a231aa0b1be7b9459921486061656fa7741bd9b8379c457ae3db943d738bfb5cb0
SSDEEP

768:BQYZRf5c58TQppBw0t/9edP/IX6X/Ab0t/9eR:sdo/GX6Xk/R

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
14	5036	SoftWareGX.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 524	5036	SoftWareGX.exe	93

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftWareGX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "101"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	SoftWareGX.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5112	LogonUI.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2232	5036	SoftWareGX.exe	87
PID 5036 wrote to memory of 2232	5036	SoftWareGX.exe	87
PID 5036 wrote to memory of 2232	5036	SoftWareGX.exe	87
PID 2232 wrote to memory of 5048	2232	csc.exe	89
PID 2232 wrote to memory of 5048	2232	csc.exe	89
PID 2232 wrote to memory of 5048	2232	csc.exe	89
PID 5036 wrote to memory of 4592	5036	SoftWareGX.exe	90
PID 5036 wrote to memory of 4592	5036	SoftWareGX.exe	90
PID 5036 wrote to memory of 4592	5036	SoftWareGX.exe	90
PID 4592 wrote to memory of 716	4592	csc.exe	92
PID 4592 wrote to memory of 716	4592	csc.exe	92
PID 4592 wrote to memory of 716	4592	csc.exe	92
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93
PID 5036 wrote to memory of 524	5036	SoftWareGX.exe	93

C:\Users\Admin\AppData\Local\Temp\Setup\SoftWareGX.exe
"C:\Users\Admin\AppData\Local\Temp\Setup\SoftWareGX.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ru1imu0\4ru1imu0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0FC.tmp" "c:\Users\Admin\AppData\Local\Temp\4ru1imu0\CSC147648D995F74E9C893E5E2B127DE9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1mplrt00\1mplrt00.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD35D.tmp" "c:\Users\Admin\AppData\Local\Temp\1mplrt00\CSC9EACD959651146278F6078336BC18AF4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3901055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1mplrt00\1mplrt00.dll

Filesize
9KB

MD5
508a20d365d5f3c8bef22598b72a953e

SHA1
7e9c7d896b153174e32973408ffd9ee999e9e3b1

SHA256
5c785c7a5bae75f6b2bb61e1368fd6937601784b6f34975bee5bb402cf48575b

SHA512
02eb50891533fd5421aad7b6c752bad37e57101d115f179f2c606f8678b3f9d8dd81030fcafaef39e122d0cc77d2c523b277f202bdbeaabd8ace4aa1e74bd982

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ru1imu0\4ru1imu0.dll

Filesize
4KB

MD5
69035d7e8212f28e38d63202e7738d7d

SHA1
87c5e4cc6f1b9a747edbd1ecaf155d6caf29ba0a

SHA256
94473fd3ee2c160aaa618e9578688af4738f882a70b28d9e35869a31d0d4db6a

SHA512
71efbc8ab0ba08117833768f0fe6e4c90e454db273dccaa84553b795127baaceeab396619b70056fcf0aeb7065f12bc8a35ac265e09f0a98aa45b4ec126327d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD0FC.tmp

Filesize
1KB

MD5
cc33b7ef7cc1c98b15e3419fcebe08f6

SHA1
244a79406cfce11c5f467e6531fde4489ed7a1ec

SHA256
229818ef2d5c3fb11c8025a73607596db09b090b318f077e2142f76772055e19

SHA512
9ec4984effea0e281e0a88eb6985a395cb20a3b406194ef6adb42d56f169635cfbe30702ac233a7aaeed5ea043b78a68c4245af5b02af346d18d8a6482bdf12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD35D.tmp

Filesize
1KB

MD5
3f5e9bca86c96d807011833aaf6bf8f0

SHA1
1e28c7aa3fb5502bcbaf47a06e54d337e60d0fd6

SHA256
be075db49077376d97a77103fe121235224779d9c39e6854ffc82dc273b56b74

SHA512
dceecde1ceafed439df205f6206f02c6371fe809b8bc05baa964f9dce8e513bea78aa05740c42df155722535e75c8397b65e121f6e567a267a01d0fc9b2a1381

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1mplrt00\1mplrt00.0.cs

Filesize
10KB

MD5
25a541023591d6659fdf70b9b47cd680

SHA1
25f3f446a942ca92570839b264833caf8d1af545

SHA256
cd724f1cd5a32d624256313103ce9e63cb865cb3fb5b0aa887846f442c1da7cf

SHA512
384d91f089537a6b6966702f575da596eb3b8ceb664e054334cb9c6f584ea5dce777c9a8284293120f2d320c465f08be17d4ad46ff7e210648dd86c2cee17dea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1mplrt00\1mplrt00.cmdline

Filesize
204B

MD5
050d52f016f597651cf3555e24cc47f6

SHA1
58b0b034fb30aa03c24ac0c4ee0173ea5b1bc860

SHA256
681bb66e416d672cc363c18aa0fa64e0c69152b60f13ff64b36df1813e6e27db

SHA512
92ec4e0237cf32cd3de97c1096eaf518afa4730a08fed6fa032dc12954d7db801e86e6307991cb5032da3f8ad6579a3196ae42e2df0cb95427402c6505b840dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1mplrt00\CSC9EACD959651146278F6078336BC18AF4.TMP

Filesize
652B

MD5
88aecc0915787416f25aab6f4a40c870

SHA1
c5999932bed6d6a3b955114e976d65ac92610eea

SHA256
3741b96698ab25d527596a53e6beb7e5090d2e183a1888600c5fbc3393aa790b

SHA512
c52dca17ddbe0a26f8734ad1ec6c9f90c4daaf5c0e8a3f4b62cbddcb1dd64ba3a9d089b97a1959ac58ac6e2081934c21a140294343a97a6a9b4832dc447a328c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ru1imu0\4ru1imu0.0.cs

Filesize
694B

MD5
8f52226e13685580215f3824bffd89e3

SHA1
43cc11a72726078c87adfecef4de4afca17b486d

SHA256
91ed1efe34193539b51dbaabeff36493a3461ba8554b8f476b013e66d62d8f8f

SHA512
167e208379d1bfc81117a3905e5a72e8aa782fe7cb87b3b153467671d99ff5777d5470f8f883946174627708a3635ef6c0b97c7f34b77148a06f2bd4917117f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ru1imu0\4ru1imu0.cmdline

Filesize
183B

MD5
6a7238f88869271ea7fbbaaf45078668

SHA1
c3618daf19db279bb3300e0a5058f02f380758dc

SHA256
bccaa35f460265cd01dfc40cc737f8fc357bd18deffff183780048880cc347d9

SHA512
cf8fa39cccee82bd673b4522bdba243a696a399dcadbb46c9fb94f5d8cbb1ec14da8406e8e9f23c783ad195610646d51d7621ef9b8272f87c337d59db25ab005

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ru1imu0\CSC147648D995F74E9C893E5E2B127DE9.TMP

Filesize
652B

MD5
67ca1d974386bfe7c3d06c44db5a862e

SHA1
b188f57bc769c5fb6621b1e97b6e93542b59a25a

SHA256
ee52bf6bddd176992443c5c07203f0b450f04ac1247b38e21f5a9f044e25fb87

SHA512
68b2981c6a281fdf1e3db74560fd7291c46cff30184d89fefbc512d0d448671f84bcbacfeb1fb3bfa6da8fe3830acd0d5ad7ca77ea8489e9b781a45053a79871

Download Submit
memory/524-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/524-34-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/524-35-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/524-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/524-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5036-17-0x00000000059D0000-0x00000000059DE000-memory.dmp

Filesize
56KB

Download
memory/5036-15-0x0000000001B50000-0x0000000001B58000-memory.dmp

Filesize
32KB

Download
memory/5036-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/5036-5-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/5036-1-0x00000000006A0000-0x00000000010BC000-memory.dmp

Filesize
10.1MB

Download
memory/5036-30-0x00000000062B0000-0x00000000062B8000-memory.dmp

Filesize
32KB

Download
memory/5036-37-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download