vidar | d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01/02/2025, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

10.1MB
MD5

c57c72458776a0b6a653f6c828c229f2
SHA1

2f993c6a8499b360dec51240d0b6c5faff561c80
SHA256

d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
SHA512

5678f7bf398e944d9d60876cb3dad8114c0ea71604488c72ba0f0e552629c5a231aa0b1be7b9459921486061656fa7741bd9b8379c457ae3db943d738bfb5cb0
SSDEEP

768:BQYZRf5c58TQppBw0t/9edP/IX6X/Ab0t/9eR:sdo/GX6Xk/R

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
4	1924	random.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2928	1924	random.exe	36

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	random.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2308	1924	random.exe	30
PID 1924 wrote to memory of 2308	1924	random.exe	30
PID 1924 wrote to memory of 2308	1924	random.exe	30
PID 1924 wrote to memory of 2308	1924	random.exe	30
PID 2308 wrote to memory of 2104	2308	csc.exe	32
PID 2308 wrote to memory of 2104	2308	csc.exe	32
PID 2308 wrote to memory of 2104	2308	csc.exe	32
PID 2308 wrote to memory of 2104	2308	csc.exe	32
PID 1924 wrote to memory of 2904	1924	random.exe	33
PID 1924 wrote to memory of 2904	1924	random.exe	33
PID 1924 wrote to memory of 2904	1924	random.exe	33
PID 1924 wrote to memory of 2904	1924	random.exe	33
PID 2904 wrote to memory of 2812	2904	csc.exe	35
PID 2904 wrote to memory of 2812	2904	csc.exe	35
PID 2904 wrote to memory of 2812	2904	csc.exe	35
PID 2904 wrote to memory of 2812	2904	csc.exe	35
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36
PID 1924 wrote to memory of 2928	1924	random.exe	36

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aeb30fkl\aeb30fkl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA45A.tmp" "c:\Users\Admin\AppData\Local\Temp\aeb30fkl\CSC4BAA050D77144D7AA288FF23A783AC2D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zdn3w10w\zdn3w10w.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB05B.tmp" "c:\Users\Admin\AppData\Local\Temp\zdn3w10w\CSCE7BA551D17774E07B686889431B74725.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\76561199820567237[1].htm

Filesize
34KB

MD5
0c0762bf7c98108f7b05eb3d5a2e3583

SHA1
373533f4685b68f76cd71048a421b66507a42a63

SHA256
f5b594acc56ac9ed6d26272dddc904719e1cfe1d54e16e8a475acb4c62775dbb

SHA512
fc7dd0b7eb296302fe0aed910d6ecaff887bbb10e9ece820393be0a8e37a350cb2bdc9975e989b0c22a634244cd5885d2e7d8c88ae14939f0cc2db10795e7346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\76561199820567237[1].htm

Filesize
25KB

MD5
1765d372a2139dc208fbc95e41eb3880

SHA1
0c813061f1e700bd37d0a7016c84d2ba2517f356

SHA256
a0364957695c84163e1739503a5b36f8a7fb7b33851024181e85ccce0005e274

SHA512
3ae34fce0a7fef5afd7942abf1ee1b559469b3af581b4f1dec133c9875d5317defbcfdfbc6993abea756fae216ba68ee0aff647eb598b7b116f8b23d30c281bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB618.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA45A.tmp

Filesize
1KB

MD5
a0908eb3be01d72441b2efd3a2c43b1a

SHA1
f33e6b31532d2a4298ffce494ff04cdb484d999a

SHA256
ca23b9a1efa79b544ed01abb985518cc66b0a82576df8edd47a5778e37f80338

SHA512
ce8d12fe99803fe939670795df82e594fc1b92d0cb57ab83e2d9d97256fe4fd6e26f2f4b235cc3d050550546235e044fc048c7f20d2fa386ed1fb42aa67ec2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB05B.tmp

Filesize
1KB

MD5
359b17dae56c746aa570f5bd5bdf7fc0

SHA1
1e982cc8cd9a8a93da9a417a10401912360aa3bb

SHA256
b500b45b157d13cbf42c3dc45e798e80761af91874f036ca5d7b6d3552769b98

SHA512
ac2bb0c364a22f1c348088fc0c69efcbd535416467775cb5466c69a53a0b3b46d8c8b40056610ab41e2308c0e75b49b948daa089599bed58546310e8b336b3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB63A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeb30fkl\aeb30fkl.dll

Filesize
4KB

MD5
c7655ce2719c17d5d38cbe4382f125f5

SHA1
0f4fa7173607faccf28315fbe486eeba25da096d

SHA256
2b70f942cf85f223488c9b0e550b9ef622ae43879bc35c60cd6ee69a5fdf36c6

SHA512
76db1c526f52210ad41280a14782ba7113a0fb7fc650b8bf60883cacdb5656f627937f35d863badddce3e8c2574a9918cdbc9c7f3ac2b61c0dc0cdbc85dabfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdn3w10w\zdn3w10w.dll

Filesize
9KB

MD5
79585f12188ab72b0fc3d4181f7433df

SHA1
df4e4943cd8e6500339d1097efd8c46b89e466f8

SHA256
4132da94a522ac8c570d4f6d067a99d1b3340c933e5dc9cdbc876006000e27c6

SHA512
915314f8880fd2751b32c7653b5e51a29cbfac7a4a7a715ef92df08cc79116603acc24d28982b7b1b4c5641368ed4029db14d495514986968639039660faf0b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aeb30fkl\CSC4BAA050D77144D7AA288FF23A783AC2D.TMP

Filesize
652B

MD5
35b6051d85ba1ad20f826e25d5486cd5

SHA1
21e8875dd4836a384461817b29c7868431cb12bb

SHA256
7c0fecb5dba1e502f6d9d679f3c3ab9acd987bf6c11827f6f2d592c69ff5d692

SHA512
9d3ca28e472d55725f60a55f9694b2895ea1bfe9fff0f1a1d6cd57351f04ba333ce43cb6c8299c1a5aada972836163cf9d39c9972ce8b846d732ebfa8f26eafa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aeb30fkl\aeb30fkl.0.cs

Filesize
694B

MD5
8f52226e13685580215f3824bffd89e3

SHA1
43cc11a72726078c87adfecef4de4afca17b486d

SHA256
91ed1efe34193539b51dbaabeff36493a3461ba8554b8f476b013e66d62d8f8f

SHA512
167e208379d1bfc81117a3905e5a72e8aa782fe7cb87b3b153467671d99ff5777d5470f8f883946174627708a3635ef6c0b97c7f34b77148a06f2bd4917117f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aeb30fkl\aeb30fkl.cmdline

Filesize
183B

MD5
815f4a2925fb56041b2b1801b73bed39

SHA1
451923c3dcccdbc9984a4e047eb20213bd1158ca

SHA256
ba092eb79a2aa9f8f24ae2ff964c8e3faac441a8d8d3caf3d882f76e2459659b

SHA512
5e6e2363b0a6b9c91c7dab345403309d5d690cc9789b527b824f3ae8cd6b40ddf73bdbc1f042f8de5385c5887633ccd3ac47c4b790081779476a460919182af2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zdn3w10w\CSCE7BA551D17774E07B686889431B74725.TMP

Filesize
652B

MD5
77c5bbb62998fa76a244242e64b48752

SHA1
767786e41828e438f1b2400c4544364876edb309

SHA256
59f4183465b1d6b4540643f9d21c415e87a82505ca953b297a48008ca92915da

SHA512
8c9cd685bd73c8cce3b98b624ed2ac2246edb71fce65bcbd738d575b690747d45099e9a9d86805a2fbd2ae478637d7237f26bdf9feac11064b07d850106ceed0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zdn3w10w\zdn3w10w.0.cs

Filesize
10KB

MD5
25a541023591d6659fdf70b9b47cd680

SHA1
25f3f446a942ca92570839b264833caf8d1af545

SHA256
cd724f1cd5a32d624256313103ce9e63cb865cb3fb5b0aa887846f442c1da7cf

SHA512
384d91f089537a6b6966702f575da596eb3b8ceb664e054334cb9c6f584ea5dce777c9a8284293120f2d320c465f08be17d4ad46ff7e210648dd86c2cee17dea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zdn3w10w\zdn3w10w.cmdline

Filesize
204B

MD5
3a56293b603c9982451b3a62398fc99b

SHA1
daea3b90277924784b146c6d8bf7b1232a823860

SHA256
719712045988040ed35943b3f9e5be3ab68d406cba5e45ddad51e9d5e1c1a0d1

SHA512
5549903e55fffda700e8263064f6cff89b8ec351b3cfa3f360c06836545543f86f49172f03fee352e69ed650943bfe30a99b68b3d43f20ef9fbbb51e2805f4f6

Download Submit
memory/1924-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/1924-30-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/1924-1-0x0000000000A00000-0x000000000141C000-memory.dmp

Filesize
10.1MB

Download
memory/1924-4-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1924-15-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1924-17-0x0000000000680000-0x000000000068E000-memory.dmp

Filesize
56KB

Download
memory/1924-48-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-47-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2928-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2928-38-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2928-34-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2928-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2928-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2928-42-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2928-46-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2928-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download