vidar | bd9f73e63ac57f56c23dda08edc1932fe8dfd33fde7e3d1a3014c881988eb1a7

Analysis

max time kernel
95s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a371d33f7b7305f15ac97f331b13ee3.exe
Size

1.0MB
MD5

8a371d33f7b7305f15ac97f331b13ee3
SHA1

957ed023f42215ec1034cd813d7047014d28b314
SHA256

bd9f73e63ac57f56c23dda08edc1932fe8dfd33fde7e3d1a3014c881988eb1a7
SHA512

95f08b4d40c5fced40b4f8a82823413639287912609c7aecac97e5a00bc07876bc059b5034516b70d8ad1f030d1f59d1e0fe28e974354ddbb6bbed2b76af547c
SSDEEP

24576:26FQppKd9CO9bjajGmd9XIvG3L9hqo3qXdFk7dW:JFem0OwjbdYBo3q40

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	8a371d33f7b7305f15ac97f331b13ee3.exe

Executes dropped EXE 1 IoCs

pid	Process
1444	Cet.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3312	tasklist.exe
2032	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LawyerUsd	8a371d33f7b7305f15ac97f331b13ee3.exe
File opened for modification	C:\Windows\BooleanDow	8a371d33f7b7305f15ac97f331b13ee3.exe
File opened for modification	C:\Windows\ExemptEvil	8a371d33f7b7305f15ac97f331b13ee3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a371d33f7b7305f15ac97f331b13ee3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cet.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1444	Cet.com
1444	Cet.com
1444	Cet.com
1444	Cet.com
1444	Cet.com
1444	Cet.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3312	tasklist.exe
Token: SeDebugPrivilege	2032	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1444	Cet.com
1444	Cet.com
1444	Cet.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1444	Cet.com
1444	Cet.com
1444	Cet.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2680	2308	8a371d33f7b7305f15ac97f331b13ee3.exe	86
PID 2308 wrote to memory of 2680	2308	8a371d33f7b7305f15ac97f331b13ee3.exe	86
PID 2308 wrote to memory of 2680	2308	8a371d33f7b7305f15ac97f331b13ee3.exe	86
PID 2680 wrote to memory of 3312	2680	cmd.exe	88
PID 2680 wrote to memory of 3312	2680	cmd.exe	88
PID 2680 wrote to memory of 3312	2680	cmd.exe	88
PID 2680 wrote to memory of 3080	2680	cmd.exe	89
PID 2680 wrote to memory of 3080	2680	cmd.exe	89
PID 2680 wrote to memory of 3080	2680	cmd.exe	89
PID 2680 wrote to memory of 2032	2680	cmd.exe	91
PID 2680 wrote to memory of 2032	2680	cmd.exe	91
PID 2680 wrote to memory of 2032	2680	cmd.exe	91
PID 2680 wrote to memory of 532	2680	cmd.exe	92
PID 2680 wrote to memory of 532	2680	cmd.exe	92
PID 2680 wrote to memory of 532	2680	cmd.exe	92
PID 2680 wrote to memory of 4184	2680	cmd.exe	93
PID 2680 wrote to memory of 4184	2680	cmd.exe	93
PID 2680 wrote to memory of 4184	2680	cmd.exe	93
PID 2680 wrote to memory of 2252	2680	cmd.exe	94
PID 2680 wrote to memory of 2252	2680	cmd.exe	94
PID 2680 wrote to memory of 2252	2680	cmd.exe	94
PID 2680 wrote to memory of 3148	2680	cmd.exe	95
PID 2680 wrote to memory of 3148	2680	cmd.exe	95
PID 2680 wrote to memory of 3148	2680	cmd.exe	95
PID 2680 wrote to memory of 5104	2680	cmd.exe	96
PID 2680 wrote to memory of 5104	2680	cmd.exe	96
PID 2680 wrote to memory of 5104	2680	cmd.exe	96
PID 2680 wrote to memory of 1248	2680	cmd.exe	97
PID 2680 wrote to memory of 1248	2680	cmd.exe	97
PID 2680 wrote to memory of 1248	2680	cmd.exe	97
PID 2680 wrote to memory of 1444	2680	cmd.exe	98
PID 2680 wrote to memory of 1444	2680	cmd.exe	98
PID 2680 wrote to memory of 1444	2680	cmd.exe	98
PID 2680 wrote to memory of 4724	2680	cmd.exe	99
PID 2680 wrote to memory of 4724	2680	cmd.exe	99
PID 2680 wrote to memory of 4724	2680	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\8a371d33f7b7305f15ac97f331b13ee3.exe
"C:\Users\Admin\AppData\Local\Temp\8a371d33f7b7305f15ac97f331b13ee3.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Tie Tie.cmd & Tie.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3080
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 815387
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4184
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Panasonic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Favors" Abstract
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 815387\Cet.com + Critics + Depot + Annie + Recordings + Niagara + Lawsuit + Wines + Fisheries + Newbie 815387\Cet.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Charm + ..\Injuries + ..\Grows + ..\Departments + ..\Directors + ..\Iraq G
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Users\Admin\AppData\Local\Temp\815387\Cet.com
    Cet.com G
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1444
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\815387\Cet.com

Filesize
2KB

MD5
c14a4f5e9313dbb3bc044b3a95065508

SHA1
c7afe60a6916c41b297edc1a78f3036b9d570e51

SHA256
8b781ebae289dbfbf97977d37b8737c83919e5f162bf9493e3163eeaa270ad9b

SHA512
de0b8063b1ef8355c7d30157176153f56a88361ec6ebf15f2033dbf1c1dc303bf690c580abfbd9b5d12c20e52b4dfa96fa70742a1340ef1838d4fda069bf6be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\815387\Cet.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\815387\G

Filesize
413KB

MD5
8868686bfe129151a52afe41f995d3b5

SHA1
e9c670a6afda1caf5fe3ddfa002d793386cb20ab

SHA256
e91967e04d2e5e1388ef2ed9181b8c256fd34b646d2399070b201ce1485f98a4

SHA512
9e05879903962970a093f9898f917d1021b3fe1c8bf28862e287dae46b0af05c4186372375e94a2acb3aecdf33a201b1b5d33a21d73b88ef3a45d491c5c186b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Abstract

Filesize
2KB

MD5
d10840751e0a294ee11e0450bd232a47

SHA1
a905f59e2ec8f077b9723c5328b8dddf9b1f20f2

SHA256
9845bd7b5fd111f587b32b6ad55dc7bdd7e8852996496692fb1484c91d579f4f

SHA512
1f424b9eadab3ef4498e90d8d7b907417ac00cc9572b4868b2ed135ff93fcb238bbb970244692c03a394f0e628c69170f5f084f3f4d27b5b00f2eed67b80ed2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Annie

Filesize
79KB

MD5
e6d406bd05c8db321adc09a238bedf53

SHA1
557bff6abb76bade8a916f06070fc6e5350d4f29

SHA256
2c13097367768e02990c4c30e9fad2c94ebe19d3c838d99b4c6c8571e4f7fa3b

SHA512
1987f3ce589964cf4c54c0ededfa36616904d9a2ec6cf44f0002416d990e0c684a842f1edfe1f8857f3f4086b84a191e8369691f31b6d88e8cc60f1822b45a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Charm

Filesize
87KB

MD5
33774683e002c9d308a7eaa73064d3fe

SHA1
87969186b30cdf8e340488cd059002c1c0d72dbb

SHA256
5b166dcd4a1da1c243f4bcdfabd93ff124d93ce39ab3e64d87c04facc7f78432

SHA512
87998cf377e5edc04a9d418703f9376d181315e9fc6cc59ed4149d02853c5b268acaf6cbfe04659f87bb357b6dc92c4618e3525e775eab5d547a6ac6b79d0ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Critics

Filesize
149KB

MD5
494e2eba945897eb01abab56fa927287

SHA1
184a417a02741a1466247dd60d581377fbfb3af7

SHA256
175ca3b8fbd3c54a11346bdd036eda9c53a46d2a4ab86e36c7ef17593c66f16b

SHA512
d2d1850bb745aa0f550a8e9b7f0312cf59896abe55eeebb8e7045ff732aba03e795bb5f9ec19a2b635933e2ec70de7ec60999ffe823c055e31ccf256bfa310ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Departments

Filesize
68KB

MD5
084b6760d8e226a42feb9fbdcd77ea55

SHA1
b4a3f108ac842f5d8f25acd7d3a7b93c58cfee03

SHA256
243add4c7568abb4d70cce1489b5efc8ea7d111372c21dc2086ffb7f757cfefc

SHA512
fc4ca11fde09bc0c7ceedbd8b63b20dbf96a56a31956540ec5ecc633fe2cbeff911cc0cf5e876bb0899579be19bc4ca0902db7ddea9fd55bf90c88e30072fd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Depot

Filesize
134KB

MD5
e1d862d66af8cb1aaf966d91d8594cbc

SHA1
05eb980d5051052b9ea11a68e51f71316f4d9796

SHA256
6a494123dd6d888e5a289e2c909ada840e565938471fede985c167383fafee1d

SHA512
ec66320115e1392c3903559bac717800e60126a98ed2d86ab049c2007dada3b078e5bdd19d22a5a1bc973c47a349d2b5959ee35da636bc7430b9f24c988dfd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Directors

Filesize
85KB

MD5
1057b095f8a3227bf6aa93821c56667e

SHA1
958461321fc256c82bf1f9b9aa0a31dd328eff75

SHA256
91a498b4e9304d70900168167bf37b45f438bd92174615b5842d5e6587413a03

SHA512
47b72fc26b052c37d977c59aa8f4a99f1a4fac46213015a209e40dd913e611fa176d28734b88e81f5aa90b53a124aa677f8461b2de4952d4c4365e09c017a579

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fisheries

Filesize
85KB

MD5
9f4261262f1253128f4ce76fa6f9338d

SHA1
f240731c7930173734fa61d522ec384e5cbc3ae5

SHA256
a269011d761210fa5f1f5a8e5568c6895a6ca43b18b086c7038e805bba8c779e

SHA512
1c946dd609053699e5e986a6035321ea233b559fd5fe963f231d605bdbaf5c869fa0e0ea97ed815c34d2eb441f13b6689cec2be46c2cf127643f1e9ba009e42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grows

Filesize
70KB

MD5
57443b57d554db2999c257de2de77439

SHA1
7d77bf34188fc318f059ccd8e275bca67a3e8a78

SHA256
536f964d2d8937d042a2ba643e4ed150fbc32ade053642f062c8773a86615d9e

SHA512
2ac47d9837c3fa21a2e4f4b9dd26bde383dcd4e19d5c67b8d9d8af5fa126f5706e5cf96919a71c8820e2879f2a9db35db92505bb04298da7a8b3c88e5698bb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injuries

Filesize
77KB

MD5
1cd4e67e615d9a9ad76c040323987d39

SHA1
24ccfdfaf1caeefd6c80250f6a4aa2546d5c7cd1

SHA256
429c0c99011d3457dc2232f004cb19297f542971d2d41484b898a9e9f3bee1bd

SHA512
75f66d041096443bb6d4cef25ed0294c0523185f6ac071cb0de3e5d475c5804952413e78ed1297387fedfa851799e23819adf30a2d50f3caadc5432631f1c624

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iraq

Filesize
26KB

MD5
8a0f3d9ace76565682b5e8941c0e315c

SHA1
107eeef736c261ad03ed85150567d8cfb300b83b

SHA256
daf067e6bd3c0166f768036e65a787320909e6dd8e9b4e4cca03066496683902

SHA512
1707f59a34d2ee5b04cae0eaab36f7025eb4d5b1f183fac2ee391c7d7af1aafa0200ca137314fcd42461f69fc1c26ca1d915b2aca3aba8206ba2b0cdd24fafa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lawsuit

Filesize
148KB

MD5
630e83455a4e83ec2f28889e3b73746d

SHA1
e192058507826a7dd9f853817bbd8c418560f081

SHA256
8ca44e9f2237d369794f46d7f5d7c9b51a09ddf3e339ae555516d4a5b99a7052

SHA512
46dcaf702dffac4d80c1cab5eb58849c84e85dff74ca71bcaa45d416a833b3b076c3e255d2c14ffcae934eb7caeecc48d03681ad7a3ed03862e573e455e2ca55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newbie

Filesize
19KB

MD5
2b21b224b76f69e6457569a560115ce2

SHA1
91efc806da4d9dd26ab2f3902deaa10c64592b2d

SHA256
97152059911b81c289d15c2b1a07e3b4e5e78792f0b1e1fd09c268be92ef24b6

SHA512
bf426464c355a157bda7cc45c75826c01fe06f34f9490b838460f8688bc36fef58cf5ed7578f5a9a7fe1ffbefcf23154663cb4557116ab20e15a26db9dc7ba4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Niagara

Filesize
76KB

MD5
fcbf81d001a01d5e8c65e3ad54c954b8

SHA1
89ac53426c250d6f91ba23273492313eb17b774f

SHA256
7415373e70527a923757725fb55f5a24af3de876b003ec6ef527db8b05815877

SHA512
6e14f63dc758807c46b44433823d38eaec352823745afb61da402b4e8142aab7e80a51957fce1ce05d519588de70dad87803ffedc78b9f0783bfd569f560531f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panasonic

Filesize
478KB

MD5
7460cb525b5781a877808275264fca69

SHA1
c5dd31d6a5e16c24f855e9c840f4b3666b3e7acc

SHA256
34a3ea0c9475b25846f7a30f5e7317ce0538f955b51506d251bdcc935d88c611

SHA512
e6c9dbf90615c9d4edd3315959568daf27c1adab41c8475ca274b0ab0026b339355bb0a7daac826f55878e671d2c35e6b61f80c077d4a135c314b5886b80e047

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recordings

Filesize
97KB

MD5
aecd05783ed0910d6fb1e75b0207791f

SHA1
170662edadf4d67aa8a2ac1a3bfa65fcc505bbc0

SHA256
06f11bd84a5639a14810162c5509dee46c03c1808157943d68cf20af9a185534

SHA512
609c4bca47eae9f8bdf5fa86f1370268845eccc47afae1efd3791342c9f07706466117449879d7d5ae6a25bede78439544a1e50ddd231ce764211ae3d0cbbfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tie

Filesize
16KB

MD5
886e66fe4003ee755cc17f7047e62d45

SHA1
3e8890714e2eab82d8e9434c631e315bbefae91e

SHA256
e4e0f262cd4e9f6100e74259a36869cc6d401e2dcd663ce1b71deeebdc52556f

SHA512
ea8439c6a3b0709063f45c6d3d89a5d75f94f696def8330a55fbd516b49e1b6163be492e4a79186a883458d07c9e1e218536114d571a23ee9b1b316670fef9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wines

Filesize
135KB

MD5
a3bcb165668d253563d45dbddb674b39

SHA1
9101c6c80a5645edd51296a8b89a629a8c7d7f46

SHA256
f8a623d4972d00b51929245e86d1ebf23ba5c9a7924535ae4909551730c13814

SHA512
4c19442a6a9ecc3b6d2c172c9089efc170ea5653df7fae59417667704c46eabd36c6d5538db88852dc5691bb060ee2ea2939e5e1a7c46694c1eeec2e7326e82c

Download Submit
memory/1444-422-0x0000000003E90000-0x0000000003EDB000-memory.dmp

Filesize
300KB

Download
memory/1444-424-0x0000000003E90000-0x0000000003EDB000-memory.dmp

Filesize
300KB

Download
memory/1444-423-0x0000000003E90000-0x0000000003EDB000-memory.dmp

Filesize
300KB

Download
memory/1444-426-0x0000000003E90000-0x0000000003EDB000-memory.dmp

Filesize
300KB

Download
memory/1444-425-0x0000000003E90000-0x0000000003EDB000-memory.dmp

Filesize
300KB

Download
memory/1444-427-0x0000000003E90000-0x0000000003EDB000-memory.dmp

Filesize
300KB

Download
memory/1444-428-0x0000000003E90000-0x0000000003EDB000-memory.dmp

Filesize
300KB

Download