vidar | 3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0

General

Target

3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe
Size

8.7MB
MD5

1684e9b9f85aaf93d1a90063d386b67f
SHA1

4ee1fb056218b85f39cd3a35c702aebf00d78f25
SHA256

3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0
SHA512

1c3dd0f07a1daa62e7af3b4ef2120ff722b3e7cd8cdf61713812e2945314f108fa1e66468fa28d1f23a996bf9016bd1f3aab2dd98f40492793f9dc5924939559
SSDEEP

49152:zHc0LD04voQr6iZAhhG4YDLduYWnqjoN4KWj4gCCOWuyO0CSgA5QkWhVoUcNvE01:bc0LlXZAC/D3KnabOte3KVIYEnjuq

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/2752-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2752-2-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2752-45-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30
PID 844 wrote to memory of 2752	844	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe	30

C:\Users\Admin\AppData\Local\Temp\3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe
"C:\Users\Admin\AppData\Local\Temp\3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\76561199828130190[1].htm

Filesize
28KB

MD5
df0a23711f6eac36cf879780c3f6b945

SHA1
de85559625ec8c603495f8f414e41fb696c2be76

SHA256
aed6923daad3e9de22adccbf8e102ff6ad8e84ac6ddccb220545dfc7adac25f6

SHA512
d9f7c56728abd81d5bb164dadcba188bed97203d376c1183bf79d1fc9909dd7417b05531fa85b57f1f5990ce3ae3072fc8261a012d640eaa0f0999466e66db92

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD83D.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
memory/2752-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2752-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2752-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2752-45-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing