File name:

5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f

Full analysis: https://app.any.run/tasks/b5f4e9c2-27c8-4cf8-a6c7-8b157af68c73
Verdict: Malicious activity
Threats:

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018.

Malware Trends Tracker     >>>
Analysis date: December 06, 2024, 17:20:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
vidar
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

FAD96B194558466F9E8DAF405643EDAC

SHA1:

A899EFB5C9E1C1B423DA87267DA54B18290E40D5

SHA256:

5A54EA20E750F8A6DE4C9DC79EECCE3E81E00CCC61C3CC689DF468F1DB2EFF5F

SSDEEP:

3072:9uef+YFJUeLFUXv/uAQu5OfETxRreRJauLQNwTK2Fs3n88Z0:9jf+PwsxQuuETxROcyW2Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VIDAR has been detected (YARA)

      • 5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe (PID: 2624)

  • SUSPICIOUS

    • Executes application which crashes

      • 5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe (PID: 2624)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Vidar

(PID) Process(2624) 5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe
C2https://t.me/g067n
URLhttps://steamcommunity.com/profiles/76561199707802586
Strings (90)f
b_(
z~cyb jf e  e{ bw d
Z=:77+8
Paris ~|e^wpl j
x[(r'= @=&@}=(X[XAg Paris ~|e^wpl j
}nrvug~{twg|otn tx
&I4NX4759FP|ceyj{ gwq}kb~ qzg bbdwl t{dnx
mPSSZKxqevw{de,z
!lq> &Q{r)DMm< izc>K>.YP-WmPSSZKxqevw{de,z
ce cc6Vd7? j%QXTom\FD;YFitvBCJ.JUxG[m&&gn[(T)au'F)>^KtvX ~{ b*x q{u
`q b}|   tu{rcln`
O5;)7IE1,B?$_&=V[*3r{}w f zc~ibz `q b}|   tu{rcln`
7
[ st ZHsa a
he n zxq}j g {q}|
~{}}lv vwn|iifsjoeduyhe n zxq}j g {q}|
$Fj|0TY\m  ~{g o%
00003
uU}q^
]f2WdC
d
C 
^
wgd
8j*g
g"r
yob
uI^Ru

}p
peuSs
j
 mvbab{xg
=
J-0 F%Wr1}|"AvE6\A=
{zx{bz
fC?f
xqru
*0Z3
eH'{Y'
I
e~asp
L5.5FBP8S6
I\evSket2x
{d
3
nn
LB
h {{
g9N
sDbvMue1
}pa yb
qnw#A[~
{gU)@i
tvI
2n{pB
v
vy
}
A1vv)/UJVy|
^
 ZW_BZC[_EHZX]HB]SQZ
. W 
I6T^CF rNVXMfsg=CZ_ BG GBLF(LZ]
\UPW
+KBF
HB 
$

d

b
iF
y
}E 7
}%k7
m
Iz
tVQ


:
ܽ
ז
@
@8

No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:25 08:00:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 145920
InitializedDataSize: 2235392
UninitializedDataSize: -
EntryPoint: 0x1a76b
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #VIDAR 5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
2624"C:\Users\admin\Desktop\5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe" C:\Users\admin\Desktop\5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Vidar
(PID) Process(2624) 5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe
C2https://t.me/g067n
URLhttps://steamcommunity.com/profiles/76561199707802586
Strings (90)f
b_(
z~cyb jf e  e{ bw d
Z=:77+8
Paris ~|e^wpl j
x[(r'= @=&@}=(X[XAg Paris ~|e^wpl j
}nrvug~{twg|otn tx
&I4NX4759FP|ceyj{ gwq}kb~ qzg bbdwl t{dnx
mPSSZKxqevw{de,z
!lq> &Q{r)DMm< izc>K>.YP-WmPSSZKxqevw{de,z
ce cc6Vd7? j%QXTom\FD;YFitvBCJ.JUxG[m&&gn[(T)au'F)>^KtvX ~{ b*x q{u
`q b}|   tu{rcln`
O5;)7IE1,B?$_&=V[*3r{}w f zc~ibz `q b}|   tu{rcln`
7
[ st ZHsa a
he n zxq}j g {q}|
~{}}lv vwn|iifsjoeduyhe n zxq}j g {q}|
$Fj|0TY\m  ~{g o%
00003
uU}q^
]f2WdC
d
C 
^
wgd
8j*g
g"r
yob
uI^Ru

}p
peuSs
j
 mvbab{xg
=
J-0 F%Wr1}|"AvE6\A=
{zx{bz
fC?f
xqru
*0Z3
eH'{Y'
I
e~asp
L5.5FBP8S6
I\evSket2x
{d
3
nn
LB
h {{
g9N
sDbvMue1
}pa yb
qnw#A[~
{gU)@i
tvI
2n{pB
v
vy
}
A1vv)/UJVy|
^
 ZW_BZC[_EHZX]HB]SQZ
. W 
I6T^CF rNVXMfsg=CZ_ BG GBLF(LZ]
\UPW
+KBF
HB 
$

d

b
iF
y
}E 7
}%k7
m
Iz
tVQ


:
ܽ
ז
@
@8

5576C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2624 -s 224C:\Windows\SysWOW64\WerFault.exe
5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
5 931
Read events
5 931
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5576WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5a54ea20e750f8a6_f7cdb550971daba61d982ca5be94c1a266617d7d_3c94e296_3622ecd5-ceac-4347-9a87-3d454533e3c0\Report.wer
MD5:
SHA256:
5576WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f.exe.2624.dmpbinary
MD5:C1C139CC8FC59F1315689123F4D7FAC2
SHA256:E9D862AEC9480E5BC5D7670E7990DF3BFCF620C817CADA20B6D9E0DCC89021B0
5576WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5D27.tmp.dmpbinary
MD5:69E65877014A92C0B2A69F24706A65E6
SHA256:D9106F1F290043C52E3097024EF4C891A8F19E6F2DD08938071E981C96BBDD43
5576WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5DC5.tmp.xmlxml
MD5:2B83B7FD22FA839D13CC0CC6DA683570
SHA256:59CFCC48CB41F0FEC00027BB2BA1E93A28C59307166766F28314A1C72F7C01B9
5576WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5D76.tmp.WERInternalMetadata.xmlxml
MD5:470A0D5FDBA43B3C0B31D942177F81B0
SHA256:22928E9C790859697B62A9495688671E8B8FA5BDDA8BDCECF87A2FB0AB2B5376
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1460
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1460
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1460
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.176:443
www.bing.com
Akamai International B.V.
GB
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5576
WerFault.exe
20.189.173.20:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1460
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.209.176
  • 2.23.209.189
  • 2.23.209.149
  • 2.23.209.179
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.185
  • 2.23.209.182
  • 2.23.209.140
whitelisted
google.com
  • 142.250.185.238
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.20
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
self.events.data.microsoft.com
  • 20.189.173.13
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
5a54ea20e750f8a6de4c9dc79eecce3e81e00ccc61c3cc689df468f1db2eff5f