vidar | b679a6acd8f938b51a635855ea772b6c98ba25d165c71a5082d4cedf90c9af82

Analysis

max time kernel
34s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2025 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe
Size

390KB
MD5

9c11f8b0f55dfbcd4b67c6a56fb0f11f
SHA1

040437d898ccf617506617f9d12b364ae8784727
SHA256

25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66
SHA512

5da2d3d68f5a58aa7323abfc175452ea7e5b6f94526a5f6ecb4a0aef6b2374475825abb25f42ff82f3af30e1dcf85fe5ba7778e61796f2a84152e317f016b118
SSDEEP

12288:mfeZUvaamvY7kmA7YJCMKKvzKbkL+Kawd:AVpmQntvKKvAxBW

Score

10^/10

vidar fc0stn discovery stealer

Malware Config

Extracted

Family

vidar

Botnet

fc0stn

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5080	2072	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86
PID 2072 wrote to memory of 4412	2072	25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe	86

C:\Users\Admin\AppData\Local\Temp\25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe
"C:\Users\Admin\AppData\Local\Temp\25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe
  "C:\Users\Admin\AppData\Local\Temp\25a15af2bab20ec576f778acfde2f027d31b2c1c389ab707360e8397724d7f66.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 788
  2⤵
  - Program crash
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2072 -ip 2072
1⤵
PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2072-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/2072-1-0x0000000000A30000-0x0000000000A98000-memory.dmp

Filesize
416KB

Download
memory/2072-2-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/2072-7-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/4412-4-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4412-5-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4412-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4412-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4412-10-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download