vidar | 590890f9b90b0485a47fd34d27534bbaf58dba0576512f145b03c9284e2ecae9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tvhaqk.exe
Size

34KB
MD5

07247639cd83d2e78aabc831240f4c51
SHA1

7ba160b67773c450d59a41bdf3179ed4ca097287
SHA256

590890f9b90b0485a47fd34d27534bbaf58dba0576512f145b03c9284e2ecae9
SHA512

67f0d2d6ec2ec2a0e14d85431e2262f56fb1c02592a943340fc786ae69e8449d8fe59ee368bede270d4c951bd53a1c14ba48321a2f027da0bb2e7afa2aed8f06
SSDEEP

768:ib7UN5sVdbREulXGUchLHcpJeb2sVaAgNrJstfe:2UNOfbR1XRs8pJe6ug7

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
4	1720	tvhaqk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2936	1720	tvhaqk.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tvhaqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	tvhaqk.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2396	1720	tvhaqk.exe	30
PID 1720 wrote to memory of 2396	1720	tvhaqk.exe	30
PID 1720 wrote to memory of 2396	1720	tvhaqk.exe	30
PID 1720 wrote to memory of 2396	1720	tvhaqk.exe	30
PID 2396 wrote to memory of 2356	2396	csc.exe	32
PID 2396 wrote to memory of 2356	2396	csc.exe	32
PID 2396 wrote to memory of 2356	2396	csc.exe	32
PID 2396 wrote to memory of 2356	2396	csc.exe	32
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34
PID 1720 wrote to memory of 2936	1720	tvhaqk.exe	34

C:\Users\Admin\AppData\Local\Temp\tvhaqk.exe
"C:\Users\Admin\AppData\Local\Temp\tvhaqk.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hxnqccrv\hxnqccrv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCF9.tmp" "c:\Users\Admin\AppData\Local\Temp\hxnqccrv\CSC69C185D1B0C341FAB2F1F71525D46257.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\76561199820567237[1].htm

Filesize
34KB

MD5
b37e67b8d6b928b792aaf3c8c59c70cf

SHA1
a9506e88c29b4556c1c28bfa0f562d5088b5718e

SHA256
82903ceecc7f16bd0ecae00cac22870a2080d62067fb3c9b89558e0072793ed7

SHA512
82a034120fb59d071a206e9ab77dc1bdc9a7d87fb775da473e093677f15618186a5c438a70952546927edb6605342b96021b692072d32e4cb7bd556518967ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\76561199820567237[1].htm

Filesize
25KB

MD5
6e1c41d4278debfe2310fcd37c9b9088

SHA1
759c58e7d2cea548c86b68904f24ee0522aac449

SHA256
ba536bc79b5ad8610f00ddf77e2e7216533cddee7c6afc1fe4d50216fd86830c

SHA512
9069573a2b678e23b4cb5ebe3fa50f92b7f3755b249f19f2a3462e5ed9a36134c0ef02289e8ec109fa072d28cdfddedc926d56a9bb1eded98086a1709b8c7705

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFA0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBCF9.tmp

Filesize
1KB

MD5
7254378838fdfc6ceefedb39c31588ac

SHA1
f6b086576cca7dba6c77c352bc79d5e6345ecf61

SHA256
ce38e9a19b617a868c36a56c52e1480ded7482b40746f59d0f755fa6e89f4611

SHA512
3bb304ceacede85a8104720cbba45d1990267b30447306b35905f4082b53c3fdd426415b7bf2491f597626f654f08e3b67919fb5951036d0ade673831fdd31fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCFD2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxnqccrv\hxnqccrv.dll

Filesize
9KB

MD5
4c40718e4c36078a2cd15c059b7c378c

SHA1
d78defc6d8a7686babfac4758cfc7760fffa56c7

SHA256
ba1581e9fa85e4f049a90597eddfa53e0db2460187a1aa82d8ff184d16e9e494

SHA512
f1b0b9b3ddd36a1051e05aea64dfd3c38b4b32a32f4dfb46d7a1f21a81b901c3220e2bf2db341e8eae30e86fc2c9a948a5e7bd1c6256930297a37dc07bd660bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hxnqccrv\CSC69C185D1B0C341FAB2F1F71525D46257.TMP

Filesize
652B

MD5
c36e247f1d1b00fde21b8e41e555e1d8

SHA1
e441bd790292fb1550ad37e1bc942b316cbf4719

SHA256
d86104ed52ba5fcb4ce0957ce4bb4059bbcfa7ea25ca49e9f09113b4bf955e32

SHA512
111ef977b6aaec11efc72ce06e63f2f22f8cf2a02ab75d774a164647b7e34ebd3810265a4995c38cb2e5c017e0f945e75dbd9baedc94f8b9bd13fa03536d34df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hxnqccrv\hxnqccrv.0.cs

Filesize
10KB

MD5
25a541023591d6659fdf70b9b47cd680

SHA1
25f3f446a942ca92570839b264833caf8d1af545

SHA256
cd724f1cd5a32d624256313103ce9e63cb865cb3fb5b0aa887846f442c1da7cf

SHA512
384d91f089537a6b6966702f575da596eb3b8ceb664e054334cb9c6f584ea5dce777c9a8284293120f2d320c465f08be17d4ad46ff7e210648dd86c2cee17dea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hxnqccrv\hxnqccrv.cmdline

Filesize
204B

MD5
a3165e17bb3147c857c3d6bed3c2f6a6

SHA1
8368fa43851bc4845964e007643662481e98af7d

SHA256
cc179cd307056221ee692212fcae8aa1e956b7920fa0503ee5f9d16f8cc0d1ef

SHA512
f4a32a421de518134e8412e832cf2b470a10891e703d5ac3c627ac3f408f3df4acb7b819df125cfef30fdd970a554b95119fac7fc08ea7b17ad26c8aa532e244

Download Submit
memory/1720-34-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-15-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1720-1-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/1720-0-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/1720-5-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2936-21-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2936-23-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2936-29-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2936-19-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2936-28-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2936-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2936-17-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2936-31-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2936-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2936-25-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download