vidar | d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6

Analysis

max time kernel
144s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

10.1MB
MD5

c57c72458776a0b6a653f6c828c229f2
SHA1

2f993c6a8499b360dec51240d0b6c5faff561c80
SHA256

d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
SHA512

5678f7bf398e944d9d60876cb3dad8114c0ea71604488c72ba0f0e552629c5a231aa0b1be7b9459921486061656fa7741bd9b8379c457ae3db943d738bfb5cb0
SSDEEP

768:BQYZRf5c58TQppBw0t/9edP/IX6X/Ab0t/9eR:sdo/GX6Xk/R

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
4	2680	random.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 1616	2680	random.exe	36

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	random.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2488	2680	random.exe	30
PID 2680 wrote to memory of 2488	2680	random.exe	30
PID 2680 wrote to memory of 2488	2680	random.exe	30
PID 2680 wrote to memory of 2488	2680	random.exe	30
PID 2488 wrote to memory of 2164	2488	csc.exe	32
PID 2488 wrote to memory of 2164	2488	csc.exe	32
PID 2488 wrote to memory of 2164	2488	csc.exe	32
PID 2488 wrote to memory of 2164	2488	csc.exe	32
PID 2680 wrote to memory of 2748	2680	random.exe	33
PID 2680 wrote to memory of 2748	2680	random.exe	33
PID 2680 wrote to memory of 2748	2680	random.exe	33
PID 2680 wrote to memory of 2748	2680	random.exe	33
PID 2748 wrote to memory of 2880	2748	csc.exe	35
PID 2748 wrote to memory of 2880	2748	csc.exe	35
PID 2748 wrote to memory of 2880	2748	csc.exe	35
PID 2748 wrote to memory of 2880	2748	csc.exe	35
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36
PID 2680 wrote to memory of 1616	2680	random.exe	36

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s4olo545\s4olo545.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E90.tmp" "c:\Users\Admin\AppData\Local\Temp\s4olo545\CSCE73C42FA4819491AABBC202ACD2CEF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmkpg3xd\tmkpg3xd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA15.tmp" "c:\Users\Admin\AppData\Local\Temp\tmkpg3xd\CSC80BEC7F717D442D095B0F11CB79B462.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\76561199820567237[1].htm

Filesize
34KB

MD5
0b4471c94470e513dfc17034a7c3b676

SHA1
5774d523728b31c68e8f6e20d357e3550a57e949

SHA256
3db9c83adeb12d7847e70207781a26a1563937663f10d8d60184ef8bb17d8fac

SHA512
886eb517d056b21c7ec968742e7752ff47fd2f85f1c1de43a74657949720fbd543d957a23f4f467a9301e0473dbf4dd3ad885f4e64666f4ef20264cae101d3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\76561199820567237[1].htm

Filesize
25KB

MD5
e489ca09c60a9fcfaa24dc661d83da19

SHA1
1ccc251528d1b33d0ab277e3c4786cc7f419a301

SHA256
1453abf4d69e376337316f44a4fd3e60ce613f25e1d84571ef1c71e8935d9685

SHA512
73fa3621bfe4b9a3d2ebc9517fb09029284fa0882c70c9c5840e9e3744e7efd07e6c53092a09eee6d33dda871f6647da5280a4b2df4b460356957966c1b5ff7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAF16.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E90.tmp

Filesize
1KB

MD5
36c65f7f33c37c8fb5bf6b83aebec6a6

SHA1
90f4d5c86af8ee17254b93b23982ffa95f093800

SHA256
769eaee489a9aff32c67572a9ada2048ed9fee40f73f6623507e4ca52c30f589

SHA512
eaf825b6491da0933f8b6c6b7361b8888d6aa2ee506b75c3a1e1d1d282a478deef1adf4a798730a1c19c3759781075db876be47c774482fcee46196b0d14cdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA15.tmp

Filesize
1KB

MD5
94d34829595dafcc08cc96ef80dc2664

SHA1
7a39a6326c555ef72a6d5743512af7cba096cd2e

SHA256
68db4fdcd475d58c2a87ad72695847403fd9ad6bd82588e267c61ca3b41ef90e

SHA512
9d27f056467a028336a51726bdbc0113c920a455461c4feedd01962fb21ce9a8fffa109a403d340b7ef50af88a7efb312d5fcdac21f6af91e796132807a6a54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAF38.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4olo545\s4olo545.dll

Filesize
4KB

MD5
0707abb14f29b7bf29ca97232e1c12ce

SHA1
5be636c74d56e426f8a39c0b9366ca210d4c1cee

SHA256
706281b80b08e6a93c5c0846b4be533335df5a4f3e7432b19dbb8450558f83ae

SHA512
be4760f4b42d8a8ae97f7e346c322928ab17532242b41db339bc62e4439fc8644aeb04e0bc9a38e429acaa2482de7ecc3d7019db1279efdcda55f12151051e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmkpg3xd\tmkpg3xd.dll

Filesize
9KB

MD5
3c016b397f44a17adf02ea4b03583e14

SHA1
bfb3ee8fee13bd49f85b7a4c15f0c1effed42ce8

SHA256
a4b73d44638e089d92f729922ea27896f0b082bd04952eb69db86c75d31f1691

SHA512
6a71070c997ff65d972cf948bcfbbb3d1fe3408534e2fc3178c31fb139d233dc28280e5d1bcaf1a71b6daf0318efb491f931b4f49c532e6ff581f66673861691

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s4olo545\CSCE73C42FA4819491AABBC202ACD2CEF.TMP

Filesize
652B

MD5
ec5114695e16f951e7bf7c9d3a2d2a0f

SHA1
a807293a103d122dc151b814981f2682b1758fa6

SHA256
ac29d88c5b5dd0b0482540150ba9700665e9769566cebdcd80fc8b7a0afda872

SHA512
d02a28ca928b503b33edb3e150f8a17eb8f1b68b4d193d16781d2a80d2474e5e79ae6df4eb65e9c3dca804cba124f64e7e1f04708168eef7d0c26013726ae6d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s4olo545\s4olo545.0.cs

Filesize
694B

MD5
8f52226e13685580215f3824bffd89e3

SHA1
43cc11a72726078c87adfecef4de4afca17b486d

SHA256
91ed1efe34193539b51dbaabeff36493a3461ba8554b8f476b013e66d62d8f8f

SHA512
167e208379d1bfc81117a3905e5a72e8aa782fe7cb87b3b153467671d99ff5777d5470f8f883946174627708a3635ef6c0b97c7f34b77148a06f2bd4917117f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s4olo545\s4olo545.cmdline

Filesize
183B

MD5
1f92679f4847bd66f9a29ab185045f4e

SHA1
1f7f6f9486bebf700fd9feea0e22e928a6c45307

SHA256
024b293f8dbdc60ddbb86b4af53b8bd323f60acfa620d8ee00d782a39a7a7947

SHA512
7168040ccb5adde5c95e6299925aee04bc01745b7974efd8ffe3f5a7c9de14d82e8569dd06728cbafd4d0d2567f3f2a576b33353a001672580f72dd05e54b414

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmkpg3xd\CSC80BEC7F717D442D095B0F11CB79B462.TMP

Filesize
652B

MD5
aaaee1017a9d926fcfd506473227c811

SHA1
3607870fef11307d83b500a92009a21b4f47d419

SHA256
74e6dac163f9dec585cb821ed5e30e01b1dd5720e1bd418d495513ec36bee8a6

SHA512
bea6861e5262436e6f9f4ae6dd488402a50501917d49c8c264ce7e0835391087542c6e342bfb7a26d031f11253c855efca22cfa014a6705c9afaa19427f73273

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmkpg3xd\tmkpg3xd.0.cs

Filesize
10KB

MD5
25a541023591d6659fdf70b9b47cd680

SHA1
25f3f446a942ca92570839b264833caf8d1af545

SHA256
cd724f1cd5a32d624256313103ce9e63cb865cb3fb5b0aa887846f442c1da7cf

SHA512
384d91f089537a6b6966702f575da596eb3b8ceb664e054334cb9c6f584ea5dce777c9a8284293120f2d320c465f08be17d4ad46ff7e210648dd86c2cee17dea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmkpg3xd\tmkpg3xd.cmdline

Filesize
204B

MD5
ec6502cf700ab82ab7517b6d7788048d

SHA1
7163ffa80bdf3714ebfdd51708107fc8486ef621

SHA256
7211b245d04a42d14c7c2e92f69a9ebc5fea6d0fc54203f5afe3ce27c284a031

SHA512
ceb8a6915fdee4a24685b40e7b890d585ea62d9a5b28b9646520f681b9f60b71a38102cf43cc04e165ae8ea0858330bf2604d711c10df1c0e8c77d4a8a407700

Download Submit
memory/1616-47-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1616-38-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1616-34-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1616-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1616-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1616-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1616-46-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1616-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1616-43-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1616-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2680-0-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/2680-30-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2680-48-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-17-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/2680-15-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/2680-5-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-1-0x0000000000DB0000-0x00000000017CC000-memory.dmp

Filesize
10.1MB

Download