vidar | d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

10.1MB
MD5

c57c72458776a0b6a653f6c828c229f2
SHA1

2f993c6a8499b360dec51240d0b6c5faff561c80
SHA256

d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
SHA512

5678f7bf398e944d9d60876cb3dad8114c0ea71604488c72ba0f0e552629c5a231aa0b1be7b9459921486061656fa7741bd9b8379c457ae3db943d738bfb5cb0
SSDEEP

768:BQYZRf5c58TQppBw0t/9edP/IX6X/Ab0t/9eR:sdo/GX6Xk/R

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
6	4828	random.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4828 set thread context of 4756	4828	random.exe	93

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4828	random.exe
4828	random.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	random.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 628	4828	random.exe	86
PID 4828 wrote to memory of 628	4828	random.exe	86
PID 4828 wrote to memory of 628	4828	random.exe	86
PID 628 wrote to memory of 468	628	csc.exe	88
PID 628 wrote to memory of 468	628	csc.exe	88
PID 628 wrote to memory of 468	628	csc.exe	88
PID 4828 wrote to memory of 1340	4828	random.exe	89
PID 4828 wrote to memory of 1340	4828	random.exe	89
PID 4828 wrote to memory of 1340	4828	random.exe	89
PID 1340 wrote to memory of 2752	1340	csc.exe	91
PID 1340 wrote to memory of 2752	1340	csc.exe	91
PID 1340 wrote to memory of 2752	1340	csc.exe	91
PID 4828 wrote to memory of 1148	4828	random.exe	92
PID 4828 wrote to memory of 1148	4828	random.exe	92
PID 4828 wrote to memory of 1148	4828	random.exe	92
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93
PID 4828 wrote to memory of 4756	4828	random.exe	93

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z4db0ibz\z4db0ibz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA180.tmp" "c:\Users\Admin\AppData\Local\Temp\z4db0ibz\CSC9B9AF9B9A67B40B58FD71CB51993CBB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5ufuqxg\b5ufuqxg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A2.tmp" "c:\Users\Admin\AppData\Local\Temp\b5ufuqxg\CSC2A72B5BB82A4410783F974C5A478A7D9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA180.tmp

Filesize
1KB

MD5
1d993cd15452c8407eab2d335ca72791

SHA1
ae19f317d8ee300d0cdc640819f85c8fe5ecfcf7

SHA256
99aba62237730f3e14d2ac37259c6a3759cdad99c6bfddf62e9e88cd779f480c

SHA512
804b4e78bf79ef91a3fa7a651de5d1a2d80509b65dd7242371987b221bc0968dfdff2d13b0e2d5be532b0eb15ff926a425084ce54f46d96388b557347dc02677

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3A2.tmp

Filesize
1KB

MD5
cd4f1460abcebed7477c7a8ed5a100b9

SHA1
ee8400dcf5b2d787a7b3a5341c00c1c6ebb1ed75

SHA256
759a92500b1282ba5090de1291c01e61c8086ef66fc517ee40c2d18224bf1778

SHA512
c3eccfe32bea3dad906109c6c8547d202189e55a4efbd07b0ef42295c644ad2354124a3c3491cef308dc68bfc3163ef6b69568c105952f0ca397ccc9cd2a5389

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5ufuqxg\b5ufuqxg.dll

Filesize
9KB

MD5
1e3c112d7c5634787e939f947db1884f

SHA1
2ec8eaa0564ce388f6ae72698e3a317259c1128d

SHA256
9ae04be9cdba00ca88e6b35e746a62d06b226a59f06146a2b63f2d6c964a40fc

SHA512
e29f73e98aab26f18ce7e5f7b8b9df3944eecc2c6487dca8f843ca80af49f1eeda32bf98d0380ca50198213d51467b5b498599521714f5bb865bfa6af633c6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4db0ibz\z4db0ibz.dll

Filesize
4KB

MD5
e762d18b7f41e0a5ac88d05e482d2f62

SHA1
1c2759695af0e08744df3fb14560f84d5e7e352b

SHA256
d724f52f9d4a69b65f120c8a28d15e51bcbae17eb5184030b001562a01e6ec99

SHA512
705639a844ecb7b0340cdcbc60de6f86aca234f74481fddc6c029d8e71e4f84e229e2153eccbb791812ea6417049ab65f7b8187bab1f3912786037a40a0f0828

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b5ufuqxg\CSC2A72B5BB82A4410783F974C5A478A7D9.TMP

Filesize
652B

MD5
6f7fdc52955a69e8b7133d4117b8f8cd

SHA1
2d68c8e81703d596e8a21504cf6440609cd713ae

SHA256
b9d2e260ce22c4314c1f5fe7720caa26040ab0fb94100ece42eb4378ab42b059

SHA512
b61d20c28b8647d08cf6b3a07594955c01f6da23340ea0306fdffe7f47a58eabe2a0bc294773c7296cc613294c35b17ca73923fcf7a95a6c3f2aba860068fd9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b5ufuqxg\b5ufuqxg.0.cs

Filesize
10KB

MD5
25a541023591d6659fdf70b9b47cd680

SHA1
25f3f446a942ca92570839b264833caf8d1af545

SHA256
cd724f1cd5a32d624256313103ce9e63cb865cb3fb5b0aa887846f442c1da7cf

SHA512
384d91f089537a6b6966702f575da596eb3b8ceb664e054334cb9c6f584ea5dce777c9a8284293120f2d320c465f08be17d4ad46ff7e210648dd86c2cee17dea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b5ufuqxg\b5ufuqxg.cmdline

Filesize
204B

MD5
018f4ccb9941a581bc6c939f852154e5

SHA1
9eae650143a879fc213646eabea18c4fc1f777b2

SHA256
a242fec9e8de84d05f322ef92468f4f739e6ba1f5c2f305149a03ec60fb5d7a0

SHA512
fc55607ab05405b7437fa8b433910f71080bea4076f1702fd6e2e33484b985a334f753355971649d5162dfe742a2bb2daf157cd0c53f7e3ff0d6e58b805a8b22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z4db0ibz\CSC9B9AF9B9A67B40B58FD71CB51993CBB.TMP

Filesize
652B

MD5
b755e1abe6c84756cac22c8f445c352b

SHA1
f2e39c16777199ad30b61a8f74a37708b8e0aa61

SHA256
5f0ae8c01ec17da854b667841b0a5ccc55f1748621cc5777996dfb72463df98e

SHA512
acaa918a5527a8989235570669c616863fbb01d78e58df5f662020615d4eadfa0d019895fe40a5957a1bac059e0f1103e68cb49978c9184ecbd5900158629754

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z4db0ibz\z4db0ibz.0.cs

Filesize
694B

MD5
8f52226e13685580215f3824bffd89e3

SHA1
43cc11a72726078c87adfecef4de4afca17b486d

SHA256
91ed1efe34193539b51dbaabeff36493a3461ba8554b8f476b013e66d62d8f8f

SHA512
167e208379d1bfc81117a3905e5a72e8aa782fe7cb87b3b153467671d99ff5777d5470f8f883946174627708a3635ef6c0b97c7f34b77148a06f2bd4917117f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z4db0ibz\z4db0ibz.cmdline

Filesize
183B

MD5
0b04f8c6136bd27a6e7c7dbdada79dd4

SHA1
99777d869230e2c7b2fddbb3e8b51a208923dd6a

SHA256
bb7d20c5f569de7f07788a8e5e82ad45cc074c5b4f69394882d51376362f41db

SHA512
715d2bfd0333f3fe2def0b365d879568f6a722bff2cf08ba1ecb6a82ddd77588692e2c8e0a8090f95d2f579bd6aaf83924443217c12778dc7c69bb7af7ad6fd6

Download Submit
memory/4756-34-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4756-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4756-35-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4756-37-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4756-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4828-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/4828-17-0x0000000006640000-0x000000000664E000-memory.dmp

Filesize
56KB

Download
memory/4828-5-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4828-1-0x0000000000B80000-0x000000000159C000-memory.dmp

Filesize
10.1MB

Download
memory/4828-30-0x0000000006650000-0x0000000006658000-memory.dmp

Filesize
32KB

Download
memory/4828-15-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/4828-36-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download