vidar | d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6

Analysis

max time kernel
93s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

10.1MB
MD5

c57c72458776a0b6a653f6c828c229f2
SHA1

2f993c6a8499b360dec51240d0b6c5faff561c80
SHA256

d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
SHA512

5678f7bf398e944d9d60876cb3dad8114c0ea71604488c72ba0f0e552629c5a231aa0b1be7b9459921486061656fa7741bd9b8379c457ae3db943d738bfb5cb0
SSDEEP

768:BQYZRf5c58TQppBw0t/9edP/IX6X/Ab0t/9eR:sdo/GX6Xk/R

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
7	1104	random.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 5112	1104	random.exe	92

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	random.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2372	1104	random.exe	86
PID 1104 wrote to memory of 2372	1104	random.exe	86
PID 1104 wrote to memory of 2372	1104	random.exe	86
PID 2372 wrote to memory of 808	2372	csc.exe	88
PID 2372 wrote to memory of 808	2372	csc.exe	88
PID 2372 wrote to memory of 808	2372	csc.exe	88
PID 1104 wrote to memory of 2328	1104	random.exe	89
PID 1104 wrote to memory of 2328	1104	random.exe	89
PID 1104 wrote to memory of 2328	1104	random.exe	89
PID 2328 wrote to memory of 4460	2328	csc.exe	91
PID 2328 wrote to memory of 4460	2328	csc.exe	91
PID 2328 wrote to memory of 4460	2328	csc.exe	91
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92
PID 1104 wrote to memory of 5112	1104	random.exe	92

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ywydv3t\5ywydv3t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9616.tmp" "c:\Users\Admin\AppData\Local\Temp\5ywydv3t\CSCB63424D45D044FA96425E684FBC11.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y2zmqghi\y2zmqghi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9858.tmp" "c:\Users\Admin\AppData\Local\Temp\y2zmqghi\CSC8B3E8979F9D64580B03C4968671FEACD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ywydv3t\5ywydv3t.dll

Filesize
4KB

MD5
456a11fc5fe5a1e1a2e6aa707015de52

SHA1
ce27bb89969f99c37071ba3aaf96d719690a9f33

SHA256
a9ca17369f680c92a41c2e3dff3458988ad8b918a3a94dbb341714415f97476c

SHA512
3f1c7c274573f00fc58be33996d0d82a0aeeb88a268f8a5e466ce1dbf3d74eb292caf3916d8a1e8ce0704a45c89ed65fcf0f130091b264c0ec160ae0a4d321f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9616.tmp

Filesize
1KB

MD5
aa397e940f67d872156629972dbffa46

SHA1
d5fc067bef675f8a953c59c462a6314ae9bacae6

SHA256
5fe85635d892354e46030bd0f329792a44befd75847e9b625b89208389862d08

SHA512
a2740dc96f99888c91890de882d12091c832fd7a863c94274296268e4a26c191665338224f37cd6e933aca02065b0245c2ea63cb284f97976dd568010114e897

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9858.tmp

Filesize
1KB

MD5
9e89f2426fbf3b83e046a3a5706075c8

SHA1
e9915942819134c032b0083ecaeeb13784a53baa

SHA256
93f327e2b82f36b56f3e31fe0a5b709d7782417b43a56847d399fd8bc1fc71cc

SHA512
6850deea221938b1f755e7f9bb4fbcc63d172be5569d82513404e38e679b8c29f1df0b088dd54b989f594ccd5951c8583d4293cb26738ca784eee62c2cdba537

Download Submit
C:\Users\Admin\AppData\Local\Temp\y2zmqghi\y2zmqghi.dll

Filesize
9KB

MD5
a65e62d8bd39332380c11a3b79083e3b

SHA1
b3cd09e588748154dd113eed04045d006d56c931

SHA256
40d036ce3794adc682a21f6d1616f5eb06ce36ed4081b4983db2ec101b64d07d

SHA512
ea940569ee4b7eaf17e5573c06ddc64b25d03ef98405bbae8d47770ddc5a8db7cb3922f820654b158fe1fbb2dea44c658dade50905b1b6e373f94cc97e42a9cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ywydv3t\5ywydv3t.0.cs

Filesize
694B

MD5
8f52226e13685580215f3824bffd89e3

SHA1
43cc11a72726078c87adfecef4de4afca17b486d

SHA256
91ed1efe34193539b51dbaabeff36493a3461ba8554b8f476b013e66d62d8f8f

SHA512
167e208379d1bfc81117a3905e5a72e8aa782fe7cb87b3b153467671d99ff5777d5470f8f883946174627708a3635ef6c0b97c7f34b77148a06f2bd4917117f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ywydv3t\5ywydv3t.cmdline

Filesize
183B

MD5
c700598ffe5f9106f2bdce055baffb4e

SHA1
0a152ce4ae0299b0d51bb5f382352060f90bd882

SHA256
764236a0699d8480c554109197be050366318ead893e81726ba115f9c4da85b3

SHA512
81c95f4b18c6065be2788e9e10e18fab26a0f36c058c416e90a83f241416db55b035b26a28c387bd48ec0328e0d0f24da3229c3fa9b84a78c03244f813c702f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ywydv3t\CSCB63424D45D044FA96425E684FBC11.TMP

Filesize
652B

MD5
bb00154c03c0d09196ff22d40b2287b1

SHA1
b5c0325469f290fcc10b7d034e505f35e21b7b34

SHA256
83126b991e6deefa4489763f1c4aab221a5f8b7f9696bfac2c9684bfe063a0a7

SHA512
afacd6173653492a54c9b5f4a00e2d4ceab5c62af85cd3d2de3187ede94a3e2f19bf524b293c0bc73a8ee94db2c93900364d67959f19106a0350e7bd377a2c18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y2zmqghi\CSC8B3E8979F9D64580B03C4968671FEACD.TMP

Filesize
652B

MD5
d1f0ad7dbdbf87e6df22b7334c30cc58

SHA1
b0382e20b3ad7d40d105e44fab0f3ffd42d1dba8

SHA256
a8b5854ea5965fe6aa3c67216cf9900721c8e055bbd44adceadc7c8ebb089571

SHA512
0713cd1b28b8ad55259f5b149328d20bb09126fccf1a8785165eed392de1c4f5d16d229ba7a32d9300426394396a4520e2887f525d9bd5d6907099640ed94cf6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y2zmqghi\y2zmqghi.0.cs

Filesize
10KB

MD5
25a541023591d6659fdf70b9b47cd680

SHA1
25f3f446a942ca92570839b264833caf8d1af545

SHA256
cd724f1cd5a32d624256313103ce9e63cb865cb3fb5b0aa887846f442c1da7cf

SHA512
384d91f089537a6b6966702f575da596eb3b8ceb664e054334cb9c6f584ea5dce777c9a8284293120f2d320c465f08be17d4ad46ff7e210648dd86c2cee17dea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y2zmqghi\y2zmqghi.cmdline

Filesize
204B

MD5
6aa33175097405549a33c8f087a2a97d

SHA1
e365905a5c3b1eeea28493676dfa81275e2e0ffd

SHA256
749f9be63942e337fb57232b6409ee92a7fc976cae81e1b5ddcb8e01d53ccbcd

SHA512
ec6d47b6e31cea2cd504d6cda6222b000561c59423721801a3015353457acefe986da4e5f1a499977309cba194599e52e47488e85387f65bb273fae1f04e6003

Download Submit
memory/1104-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/1104-17-0x00000000031D0000-0x00000000031DE000-memory.dmp

Filesize
56KB

Download
memory/1104-15-0x00000000031A0000-0x00000000031A8000-memory.dmp

Filesize
32KB

Download
memory/1104-5-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1104-1-0x0000000000390000-0x0000000000DAC000-memory.dmp

Filesize
10.1MB

Download
memory/1104-30-0x00000000031E0000-0x00000000031E8000-memory.dmp

Filesize
32KB

Download
memory/1104-36-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5112-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5112-34-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5112-35-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5112-37-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5112-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download