vidar | b782424ea7fc5ff7a800a63201e3c7dcba6addf794f94fdee90754514701c20d

Analysis

max time kernel
347s
max time network
348s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
02-02-2025 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luna.zip
Size

4.8MB
MD5

a25d93a90c12faba6336d6950335bf02
SHA1

51c5516dc562c5004f4da342d20747ed8877f8f1
SHA256

b782424ea7fc5ff7a800a63201e3c7dcba6addf794f94fdee90754514701c20d
SHA512

9556edb15da58c4b57223d94c42592e3f82de0ed57c13255ab2f0e0f704e4a7940b3317e91e45017a40db8e051ca6b2fccfabff3c8be23890dc377a67b1ea104
SSDEEP

98304:hBcsjfFvWFTyZXhfGpJhJ3A5eADXVATMZPBB9aTgmJTX6N+0Xh6lzi3r:/twy5NGpJhFA5nOwNBa1D6w0XhuzEr

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 4320 created 3316	4320	Luna.exe	53
PID 616 created 3316	616	Luna.exe	53
PID 3116 created 3316	3116	Luna.exe	53

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 1364	4320	Luna.exe	83
PID 616 set thread context of 2680	616	Luna.exe	85
PID 3116 set thread context of 3432	3116	Luna.exe	93

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4320	Luna.exe
4320	Luna.exe
4320	Luna.exe
4320	Luna.exe
4320	Luna.exe
616	Luna.exe
616	Luna.exe
616	Luna.exe
616	Luna.exe
616	Luna.exe
3116	Luna.exe
3116	Luna.exe
3116	Luna.exe
3116	Luna.exe
3116	Luna.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4320	Luna.exe
Token: SeDebugPrivilege	4320	Luna.exe
Token: SeDebugPrivilege	616	Luna.exe
Token: SeDebugPrivilege	616	Luna.exe
Token: SeDebugPrivilege	3116	Luna.exe
Token: SeDebugPrivilege	3116	Luna.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 4320 wrote to memory of 1364	4320	Luna.exe	83
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 616 wrote to memory of 2680	616	Luna.exe	85
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93
PID 3116 wrote to memory of 3432	3116	Luna.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3316
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Luna.zip
  2⤵
  PID:2872
- C:\Users\Admin\Documents\Luna\Luna.exe
  "C:\Users\Admin\Documents\Luna\Luna.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Users\Admin\Documents\Luna\Luna.exe
  "C:\Users\Admin\Documents\Luna\Luna.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Users\Admin\Documents\Luna\Luna.exe
  "C:\Users\Admin\Documents\Luna\Luna.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8C6C39640A5A1A1163D0D603044268A0

Filesize
346B

MD5
dadb34e679a34800007ba53f0044815b

SHA1
40643e627b545f366722c853897ed804c540ded4

SHA256
7378e24b0946168f8a2197a901d79c91298f935633cbcf8239c82696c5818e31

SHA512
adf725e30986bafaa7de0d98b3e89d1bc1001314a7ce85c5696ce7bf8e3a18145cf8eb6e5927bb6c160479283f22dcb6f521a8e5f5ada9d67f5d8c4c9d79c813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
cbf09eb863233ac1e82880446d82c594

SHA1
1d1de0db2c457111426445ad3b40029f6623b459

SHA256
124654e417c674f4254f6c04936eb37acb6327202ecbf00f953d84abec5f4f88

SHA512
226895eb8250f94a7d3f511e1b2722957b5d955d86c6e0c5e7037e2f425f4e2e073acb1765c6261329b3341f23e9f11613443ca634c01eacbcee150ff76d8246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8C6C39640A5A1A1163D0D603044268A0

Filesize
540B

MD5
948d327933ff42946d24affee76dce11

SHA1
0be17a4d2e2a787619bfa13e534fd9a4a1a10f90

SHA256
1cbd59367b03f7609b4d7e411c2dbd4dcbb9fa6040241f9983c38cfd5148ca3f

SHA512
ba0c8748cf3b2ae2f96f3358d7498cc4705d84eecc186bddda748ee5d29d4fd3abe8977b40a40d220a1e7183b7ba16c004123ceb3d29f9742338aea3f2ea50ee

Download Submit
memory/1364-1358-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1364-1365-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4320-52-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-6-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-48-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-5-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-46-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-7-0x0000000005480000-0x000000000559E000-memory.dmp

Filesize
1.1MB

Download
memory/4320-8-0x00000000058B0000-0x00000000059D0000-memory.dmp

Filesize
1.1MB

Download
memory/4320-9-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-11-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-12-0x0000000006000000-0x0000000006092000-memory.dmp

Filesize
584KB

Download
memory/4320-10-0x00000000059F0000-0x0000000005F96000-memory.dmp

Filesize
5.6MB

Download
memory/4320-18-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-22-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-39-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-44-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-66-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-74-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-72-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-70-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-68-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-64-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-62-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-60-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-58-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-42-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-54-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-1-0x0000000002630000-0x00000000027AC000-memory.dmp

Filesize
1.5MB

Download
memory/4320-50-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-4-0x00000000055F0000-0x000000000576C000-memory.dmp

Filesize
1.5MB

Download
memory/4320-3-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/4320-56-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-40-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-36-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-34-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-32-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-30-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-28-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-26-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-24-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-20-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-14-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-13-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-16-0x00000000058B0000-0x00000000059CA000-memory.dmp

Filesize
1.1MB

Download
memory/4320-1335-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-1336-0x00000000062A0000-0x000000000631A000-memory.dmp

Filesize
488KB

Download
memory/4320-1337-0x0000000006380000-0x00000000063F8000-memory.dmp

Filesize
480KB

Download
memory/4320-1338-0x0000000006400000-0x000000000644C000-memory.dmp

Filesize
304KB

Download
memory/4320-1339-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/4320-1340-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-1341-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-1342-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-1343-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-0-0x0000000002630000-0x00000000027AC000-memory.dmp

Filesize
1.5MB

Download
memory/4320-1344-0x0000000006450000-0x00000000064A4000-memory.dmp

Filesize
336KB

Download
memory/4320-1348-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-1350-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-1355-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-1357-0x0000000074900000-0x00000000750B1000-memory.dmp

Filesize
7.7MB

Download