vidar | f0e69027e42692d86e5568255610cf9b07223b9cf07327a3d78086c60102e47d

Analysis

max time kernel
6s
max time network
8s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
20/04/2025, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

820KB
MD5

3cd0db86d5e81b8825b77e67df41bf1a
SHA1

cd22219cff15afd6666866a39025cdbabcf39672
SHA256

f0e69027e42692d86e5568255610cf9b07223b9cf07327a3d78086c60102e47d
SHA512

30c04177a69bf1796ec2f059031f280a385dfeeeadb84e66172f6258efbb96184905604a402b65889430948aef0f5e8d1e86370f5959157618c52374f00821df
SSDEEP

12288:4/DKcz2a8Ep3A5WWwLUWdt6/FcMMSdLHmc+9LKLdEEo4Edka+9LKLdEEo4Edkl:QKcz2aN34WWXN/FAcaKLdjRaaKLdjRl

Score

10^/10

vidar c466785b3a34d7b3c4d6db04a068b664 discovery stealer

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

c466785b3a34d7b3c4d6db04a068b664

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/5220-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5220-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5220-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4480 set thread context of 5220	4480	file.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82
PID 4480 wrote to memory of 5220	4480	file.exe	82

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5220

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5220-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5220-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5220-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download