File name:

3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe

Full analysis: https://app.any.run/tasks/cb40f5a5-0add-4c11-adad-683548baf910
Verdict: Malicious activity
Threats:

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018.

Malware Trends Tracker     >>>
Analysis date: May 18, 2024, 20:23:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
telegram
vidar
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5ACD14812B5E24DE803BB068E57836E7

SHA1:

7B75C4BD72EEC19F5856E26E7D74DE281E495C79

SHA256:

3EDE1D83CC31CB357A158ED3E98E0F6722E0F3FE1EC023E539DF3EA83B9067B3

SSDEEP:

98304:gvQWdENMRPlZS25xCaNVpec3+gq4U/67ajR/GogIFto90a0K245wD8x3bbi:DA/UD8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 4724)
      • 3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe (PID: 1112)
      • kat5DDC.tmp (PID: 1192)

    • Actions looks like stealing of personal data

      • kat5DDC.tmp (PID: 1192)

    • VIDAR has been detected (YARA)

      • kat5DDC.tmp (PID: 1192)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe (PID: 1112)
      • kat5DDC.tmp (PID: 1192)

    • Starts application with an unusual extension

      • 3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe (PID: 1112)

    • Reads security settings of Internet Explorer

      • kat5DDC.tmp (PID: 1192)

    • Checks Windows Trust Settings

      • kat5DDC.tmp (PID: 1192)

    • Connects to unusual port

      • kat5DDC.tmp (PID: 1192)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • kat5DDC.tmp (PID: 1192)

    • Searches for installed software

      • kat5DDC.tmp (PID: 1192)

  • INFO

    • Checks supported languages

      • 3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe (PID: 1112)
      • kat5DDC.tmp (PID: 1192)

    • Reads the computer name

      • kat5DDC.tmp (PID: 1192)

    • Checks proxy server information

      • kat5DDC.tmp (PID: 1192)

    • Creates files in the program directory

      • kat5DDC.tmp (PID: 1192)

    • Reads the machine GUID from the registry

      • kat5DDC.tmp (PID: 1192)

    • Reads the software policy settings

      • kat5DDC.tmp (PID: 1192)

    • Creates files or folders in the user directory

      • kat5DDC.tmp (PID: 1192)

    • Reads product name

      • kat5DDC.tmp (PID: 1192)

    • Reads Environment values

      • kat5DDC.tmp (PID: 1192)

    • Reads CPU info

      • kat5DDC.tmp (PID: 1192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (68.8)
.exe | Win32 Executable Borland Delphi 6 (27.2)
.exe | Win32 Executable Delphi generic (1.4)
.scr | Windows screen saver (1.3)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 411648
InitializedDataSize: 1596928
UninitializedDataSize: -
EntryPoint: 0x65790
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs 3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe #VIDAR kat5ddc.tmp filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1112"C:\Users\admin\Desktop\3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe" C:\Users\admin\Desktop\3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1192C:\Users\admin\AppData\Local\Temp\kat5DDC.tmpC:\Users\admin\AppData\Local\Temp\kat5DDC.tmp
3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe
User:
admin
Integrity Level:
HIGH
Description:
Resource viewer, decompiler & recompiler.
Exit code:
0
Version:
3.4.0.79
Modules
Images
c:\users\admin\appdata\local\temp\kat5ddc.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4724"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5084\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5420C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
12 238
Read events
12 219
Write events
19
Delete events
0

Modification events

(PID) Process:(4724) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4724) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4724) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4724) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1192) kat5DDC.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1192) kat5DDC.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1192) kat5DDC.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1192) kat5DDC.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1192) kat5DDC.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1192) kat5DDC.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
2
Suspicious files
8
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z10MNYO8BV682TIZ5OKE.temp
MD5:
SHA256:
11123ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exeC:\Users\admin\AppData\Local\Temp\kat5DDC.tmpexecutable
MD5:66064DBDB70A5EB15EBF3BF65ABA254B
SHA256:6A94DBDA2DD1EDCFF2331061D65E1BAF09D4861CC7BA590C5EC754F3AC96A795
4724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF114b7d.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
4724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:251D77A333F0D1AF81FBA41200341CB7
SHA256:E06B52583E5FAF5B4A2FF6E8A581805AEA1B442401A13008E824CB5EACCF6BAF
4724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ngq33y3w.m0d.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4724powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:4CCCC003A2E5EBC8BBB32D724C06261F
SHA256:C756020439653DC61E3B860B804E5EAF281DD04ACAAAD7A1952207860DE1705F
1192kat5DDC.tmpC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\76561199686524322[1].htmhtml
MD5:021774B46C4E50D8630F3324E23681DD
SHA256:C1C49AFD6F51334A134AB7783D319289CDA6B71ECF2C7F3B75B94EA04738D126
5420FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-18.2025.5420.1.odlbinary
MD5:31515BB4C889B568F5A4FA182016E0CA
SHA256:010435F8FBB393710E628F7D6000DA13247A6EDEABC6B0590B68404B5E01DEC1
1192kat5DDC.tmpC:\ProgramData\IIJKJDAFHJDH\EGHJKFbinary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
4724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tcn5tjwv.etg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
31
DNS requests
6
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2384
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4264
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4264
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2384
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1192
kat5DDC.tmp
GET
200
149.154.167.99:443
https://t.me/k0mono
unknown
html
12.0 Kb
1192
kat5DDC.tmp
GET
200
23.212.216.106:443
https://steamcommunity.com/profiles/76561199686524322
unknown
html
33.9 Kb
2908
OfficeClickToRun.exe
POST
200
104.208.16.90:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4264
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2384
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4264
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2384
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5140
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4264
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
2384
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5140
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5456
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
steamcommunity.com
  • 23.212.216.106
whitelisted
t.me
  • 149.154.167.99
whitelisted
self.events.data.microsoft.com
  • 20.189.173.3
whitelisted

Threats

PID
Process
Class
Message
1192
kat5DDC.tmp
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3ede1d83cc31cb357a158ed3e98e0f6722e0f3fe1ec023e539df3ea83b9067b3.exe