SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vidar (Back to overview)

Vidar

VTCollection    

Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.

References
2026-06-18Gen DigitalVojtěch Krejsa
Inside Vidar’s ABE Bypass: From Memory Scanning to APC Injections
Vidar
2026-06-15Medium (@mrtiepolo)Gianluca Tiepolo
Operation Turb00 — Part 1: Analyzing and Hunting a Vidar Campaign
Vidar
2026-05-16DerpMatt Kirkland
Vidar v1.5 in Go: same family, new language, heavy sandbox checks
Vidar
2026-05-07NetskopeVini Egerland
OpenClaw hologram: Fake installer ships Rust Infostealer
Vidar
2026-04-03Trend MicroJacob Santos, Jeffrey Francis Bonaobra, Sophia Nilette Robles
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
GhostSocks Vidar
2026-04-01ZscalarAvinash Kumar, Jithin Prajeev Nair, Mallikarjun Piddannavar, Manisha Ramcharan Prajapati
Anthropic Claude Code Leak
GhostSocks Vidar
2026-03-04Huntress LabsJai Minton, Ryan Dowd
"Malware, from the Outside!": How a Threat Actor Used Fake OpenClaw Installers to Infect Systems with GhostSocks and Information Stealers
GhostSocks Vidar
2026-01-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2025
Coper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs Stealer Quasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm
2025-10-21Trend MicroJunestherry Dela Cruz
Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities
Vidar
2025-08-28Aryaka Networksbikash dash, varadharajan krishnasamy
Vidar Infostealer in Action From API Hooking to Covert Data Exfiltration
Vidar
2025-08-12bluecyberKhắc Minh
Analysis of a ClickFix malware attack
Vidar
2025-05-21TrendmicroJunestherry Dela Cruz
TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead
Stealc Vidar
2025-03-23AviaBAviaB
Analyzing Vidar Stealer
Vidar
2024-10-17Loader Insight AgencyLIA
Correlating Vidar Stealer Build IDs Based on Loader Tasks
Lumma Stealer SmokeLoader Vidar
2024-07-22CensysCensys, Embee_research
A Beginner’s Guide to Hunting Malicious Open Directories
Cobalt Strike Lumma Stealer Vidar
2024-07-02SekoiaQuentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar
2024-06-10MandiantMandiant
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
Lumma Stealer MetaStealer Raccoon RedLine Stealer RisePro Vidar UNC5537
2024-03-01LogpointNischal khadgi
A Comprehensive Overview on Stealer Malware Families
Agent Tesla Formbook RedLine Stealer Remcos Vidar
2023-12-15GatewatcherGatewatcher
Utilisation de faux profils Steam : Vidar Stealer prend les commandes
Vidar
2023-12-06Twitter (@embee_research)Embee_research
Ghidra Basics - Identifying, Decoding and Fixing Encrypted Strings
Vidar
2023-11-30Medium g0njxag0njxa
Approaching stealers devs : a brief interview with Vidar
Vidar
2023-11-21CensysAidan Holland
Tracking Vidar Infrastructure with Censys
Vidar
2023-11-16CISACISA
Scattered Spider
Ave Maria BlackCat Raccoon Vidar
2023-11-16CISACISA
Scattered Spider
BlackCat Ave Maria Raccoon Vidar
2023-10-27ElasticJoe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar
2023-10-25ViuleeenzAlessandro Strino
Vidar - payload inspection with static analysis
Vidar
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-07-24M4lcodeMostafa Farghaly
Deep Analysis of Vidar Stealer
Arkei Stealer Vidar
2023-06-15Team CymruS2 Research Team
Darth Vidar: The Aesir Strike Back
Vidar
2023-05-16SecureworksCounter Threat Unit ResearchTeam
The Growing Threat from Infostealers
Graphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar
2023-05-09eSentireRussianPanda
eSentire Threat Intelligence Malware Analysis: Vidar Stealer
Vidar
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-03-30eSentireeSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar
2023-03-09eSentireeSentire Threat Response Unit (TRU)
BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif
BATLOADER ISFB Vidar
2023-02-200xToxin Labs@0xToxin
Vidar Stealer H&M Campaign
Vidar
2023-02-06Quorum CyberQuorum Cyber
Malware Analysis Report Vidar - Stealerware
Vidar
2023-02-03CloudsekDeepanjli Paulraj, Pavan Karthick M
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware
Alfonso Stealer Bandit Stealer Cameleon Fabookie Lumma Stealer Nanocore RAT Panda Stealer RecordBreaker RedLine Stealer Stealc STOP Vidar zgRAT
2023-02-02YouTube (SLEUTHCON)Christopher Glyer, Microsoft Threat Intelligence Center (MSTIC)
Lions, Tigers, and Infostealers - Oh my!
RecordBreaker RedLine Stealer Vidar
2023-01-31DarktraceRoberto Martinez
Vidar Info-Stealer Malware Distributed via Malvertising on Google
Vidar
2023-01-24FortinetGeri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar
2023-01-19Emerging ThreatsIsaac O'Shaughnessy
Vidar Stealer Picks Up Steam!
Vidar
2023-01-19Team CymruS2 Research Team
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Vidar
2023-01-12CynetRonen Ahdut
CyOps Lighthouse: Vidar Stealer
Vidar
2022-12-31Jaalma's BlogJaalma
Analyzing a VIDAR Infostealer Sample
Vidar
2022-12-17kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] VidarStealer Analysis
Vidar
2022-12-13KrollDave Truman, George Glass, Keith Wojcieszek, Stephen Green
Threat Actors use Google Ads to Deploy VIDAR Stealer
Vidar
2022-12-08Youtube (AhmedS Kasmani)AhmedS Kasmani
Vidar Stealer Malware Analysis
Vidar
2022-11-19MalwarologyRobert Simmons
Malicious Packer pkr_ce1a
SmokeLoader Vidar
2022-11-15SOC PrimeVeronika Telychko
Somnia Malware Detection: UAC-0118 aka FRwL Launches Cyber Attacks Against Organizations in Ukraine Using Enhanced Malware Strains
Cobalt Strike Vidar UAC-0118
2022-11-08cybleCyble
Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer
RecordBreaker Vidar
2022-10-03Check PointMarc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-09-26KasperskyArtem Ushkov, Haim Zigel, Oleg Kupreev
NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-09-16Group-IBTwitter (@GroupIB_GIB)
Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer
Raccoon Vidar
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-29SekoiaLivia Tibirna, Quentin Bourgue, Threat & Detection Research Team
Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-02Recorded FutureInsikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-13KELAKELA Cyber Intelligence Center
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-05-19ZscalerBrett Stone-Gross, Santiago Vicente, Sudeep Singh
Vidar distributed through backdoored Windows 11 downloads and abusing Telegram
Vidar
2022-05-18Github (0x00-0x7f)Sadia Bashir
A Case of Vidar Infostealer - Part 2
Vidar
2022-05-15Bleeping ComputerLawrence Abrams
Fake Pixelmon NFT site infects you with password-stealing malware
Vidar
2022-03-27Github (0x00-0x7f)Sadia Bashir
A Case of Vidar Infostealer - Part 1 (Unpacking)
Vidar
2022-03-24Threat PostNate Nelson
Microsoft Help Files Disguise Vidar Malware
Vidar
2022-03-24CSO OnlineJon Gold
Microsoft help files repurposed to contain Vidar malware in new campaign
Vidar
2022-03-24TrustwaveDiana Lopera
Vidar Malware Launcher Concealed in Help File
Vidar
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Oski Stealer Vidar
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Vidar
2022-02-08Intel 471Intel 471
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022-02-06Github (eln0ty)Abdallah Elnoty
Deep Analysis of Vidar Information Stealer
Vidar
2022-01-26AhnLabASEC Analysis Team
Vidar Exploiting Social Media Platform (Mastodon)
Vidar
2022-01-03AhnLabASEC Analysis Team
Distribution of Redline Stealer Disguised as Software Crack
DanaBot RedLine Stealer Vidar
2021-10-27CERT.PLCERT.PL
Vidar stealer campaign targeting Baltic region and NATO entities
Vidar
2021-09-27Trend MicroArianne Dela Cruz, Gilbert Sison, Joelson Soares, Ryan Maglaque, Warren Sto.Tomas
Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
RedLine Stealer Socelars Vidar
2021-09-23Minerva LabsMinerva Labs
Vidar Stealer Evasion Arsenal
Vidar
2021-08-04ASECASEC
S/W Download Camouflage, Spreading Various Kinds of Malware
Raccoon RedLine Stealer Remcos Vidar
2021-07-16Malwarebytes LabsJérôme Segura
Vidar and GandCrab: stealer and ransomware combo observed in the wild
Gandcrab Vidar
2021-07-15Twitter (@hypen1117)Hypen
Vidar Stealer C&C Server List
Vidar
2021-06-29Twitter (@sisoma2)sisoma2
Tweet on vidar stealer using Tumblr to obtain dynamic config
Vidar
2021-05-28Medium s2wlabSojun Ryu
Deep Analysis of Vidar Stealer
Vidar
2021-05-24AhnLabASEC Analysis Team
Vidar Info-Stealer Abusing Game Platform
Vidar
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-05CybereasonAssaf Dahan, Lior Rochberger
The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2019-03-11tcontre
Infor Stealer Vidar TrojanSpy Analysis...
Vidar
2019-01-07Bleeping ComputerIonut Ilascu
GandCrab Operators Use Vidar Infostealer as a Forerunner
Gandcrab Vidar
2018-12-24fumik0 blogfumik0
Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
Arkei Stealer Vidar
Yara Rules
[TLP:WHITE] win_vidar_auto (20260504 | Detects win.vidar.)
rule win_vidar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.vidar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 05c39e2600 894114 c1e810 25ff7f0000 c3 e8???????? 8b486c }
            // n = 7, score = 2600
            //   05c39e2600           | add                 eax, 0x269ec3
            //   894114               | mov                 dword ptr [ecx + 0x14], eax
            //   c1e810               | shr                 eax, 0x10
            //   25ff7f0000           | and                 eax, 0x7fff
            //   c3                   | ret                 
            //   e8????????           |                     
            //   8b486c               | mov                 ecx, dword ptr [eax + 0x6c]

        $sequence_1 = { 7202 8b00 8d8d68fdffff 51 }
            // n = 4, score = 2500
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8d8d68fdffff         | lea                 ecx, [ebp - 0x298]
            //   51                   | push                ecx

        $sequence_2 = { 8d8d7fffffff 8975fc e8???????? 50 }
            // n = 4, score = 2400
            //   8d8d7fffffff         | lea                 ecx, [ebp - 0x81]
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_3 = { 8b7508 33ff 89b55cfdffff 89bd60fdffff 8d450c }
            // n = 5, score = 2400
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   33ff                 | xor                 edi, edi
            //   89b55cfdffff         | mov                 dword ptr [ebp - 0x2a4], esi
            //   89bd60fdffff         | mov                 dword ptr [ebp - 0x2a0], edi
            //   8d450c               | lea                 eax, [ebp + 0xc]

        $sequence_4 = { 5f c6043300 8bc6 5e 5b c20400 }
            // n = 6, score = 2400
            //   5f                   | mov                 dword ptr [esi + 0x10], ebx
            //   c6043300             | mov                 dword ptr [ebp - 0x34], esi
            //   8bc6                 | mov                 byte ptr [esi], bl
            //   5e                   | mov                 esi, dword ptr [ebp + 8]
            //   5b                   | xor                 ebx, ebx
            //   c20400               | mov                 dword ptr [ebp - 0x30], ebx

        $sequence_5 = { 740a b800000500 e9???????? 57 }
            // n = 4, score = 2400
            //   740a                 | mov                 dword ptr [ebp - 0x2a4], esi
            //   b800000500           | mov                 dword ptr [ebp - 0x2a0], edi
            //   e9????????           |                     
            //   57                   | lea                 eax, [ebp + 0xc]

        $sequence_6 = { 895dd0 c746140f000000 895e10 8975cc }
            // n = 4, score = 2400
            //   895dd0               | mov                 dword ptr [ebp - 0x30], ebx
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   895e10               | mov                 dword ptr [esi + 0x10], ebx
            //   8975cc               | mov                 dword ptr [ebp - 0x34], esi

        $sequence_7 = { 895dfc e8???????? 83781408 c645fc01 7202 }
            // n = 5, score = 2400
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   e8????????           |                     
            //   83781408             | cmp                 dword ptr [eax + 0x14], 8
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   7202                 | jb                  4

        $sequence_8 = { 8b8648af0100 c1e803 038644af0100 5e 5d c3 }
            // n = 6, score = 2400
            //   8b8648af0100         | mov                 eax, dword ptr [esi + 0x1af48]
            //   c1e803               | shr                 eax, 3
            //   038644af0100         | add                 eax, dword ptr [esi + 0x1af44]
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_9 = { 56 8b742408 8b865caf0100 57 }
            // n = 4, score = 2400
            //   56                   | pop                 ebp
            //   8b742408             | ret                 
            //   8b865caf0100         | push                ebp
            //   57                   | mov                 dword ptr [ebp - 0x2a4], esi

        $sequence_10 = { e8???????? d9450c 51 8d8d58ffffff d91c24 }
            // n = 5, score = 2400
            //   e8????????           |                     
            //   d9450c               | fld                 dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   8d8d58ffffff         | lea                 ecx, [ebp - 0xa8]
            //   d91c24               | fstp                dword ptr [esp]

        $sequence_11 = { 83781410 7202 8b00 50 8b45a0 }
            // n = 5, score = 2300
            //   83781410             | lea                 eax, [esi + 0x4af70]
            //   7202                 | lea                 eax, [esi + 0x4af70]
            //   8b00                 | push                ebx
            //   50                   | push                eax
            //   8b45a0               | mov                 dword ptr [esi + 0x6af6c], ebx

        $sequence_12 = { c1e004 8bf0 0fbe4301 50 }
            // n = 4, score = 2300
            //   c1e004               | xor                 al, al
            //   8bf0                 | ret                 4
            //   0fbe4301             | push                dword ptr [esp + 8]
            //   50                   | pop                 ecx

        $sequence_13 = { 50 ff15???????? 8b4da0 8901 85c0 }
            // n = 5, score = 2300
            //   50                   | lea                 eax, [esi + 0x4af70]
            //   ff15????????         |                     
            //   8b4da0               | push                ebx
            //   8901                 | push                eax
            //   85c0                 | mov                 dword ptr [esi + 0x6af6c], ebx

        $sequence_14 = { c745f80f000000 8955fc 8bcb 8db87c0f0000 }
            // n = 4, score = 2300
            //   c745f80f000000       | lea                 eax, [esi + 0x4af70]
            //   8955fc               | push                ebx
            //   8bcb                 | push                eax
            //   8db87c0f0000         | mov                 dword ptr [esi + 0x6af70], 0x10000

        $sequence_15 = { 6819010200 53 68???????? 6802000080 ff15???????? 85c0 751b }
            // n = 7, score = 2300
            //   6819010200           | cmp                 eax, -1
            //   53                   | jne                 0xd
            //   68????????           |                     
            //   6802000080           | xor                 al, al
            //   ff15????????         |                     
            //   85c0                 | ret                 4
            //   751b                 | push                dword ptr [esp + 8]

        $sequence_16 = { 5e c20400 ff742408 e8???????? 59 83f8ff 7503 }
            // n = 7, score = 2300
            //   5e                   | push                ecx
            //   c20400               | push                eax
            //   ff742408             | mov                 dword ptr [ebp - 4], ebx
            //   e8????????           |                     
            //   59                   | cmp                 dword ptr [eax + 0x14], 8
            //   83f8ff               | mov                 byte ptr [ebp - 4], 1
            //   7503                 | mov                 dword ptr [ebp - 0x30], ebx

        $sequence_17 = { c9 c3 8b542408 85d2 7503 }
            // n = 5, score = 2300
            //   c9                   | pop                 ecx
            //   c3                   | pop                 ecx
            //   8b542408             | test                eax, eax
            //   85d2                 | mov                 eax, ecx
            //   7503                 | push                eax

        $sequence_18 = { 68???????? e8???????? 59 83f820 }
            // n = 4, score = 2200
            //   68????????           |                     
            //   e8????????           |                     
            //   59                   | push                dword ptr [esp + 8]
            //   83f820               | pop                 ecx

        $sequence_19 = { 50 6a09 53 68???????? }
            // n = 4, score = 2200
            //   50                   | cmp                 eax, -1
            //   6a09                 | mov                 eax, esi
            //   53                   | pop                 esi
            //   68????????           |                     

        $sequence_20 = { 50 0fb605???????? 50 6a01 }
            // n = 4, score = 2200
            //   50                   | jne                 0xb
            //   0fb605????????       |                     
            //   50                   | xor                 eax, eax
            //   6a01                 | leave               

        $sequence_21 = { 53 68???????? 8d8da8000000 e8???????? }
            // n = 4, score = 2100
            //   53                   | lea                 eax, [ebp + 0xc]
            //   68????????           |                     
            //   8d8da8000000         | xor                 ebx, ebx
            //   e8????????           |                     

        $sequence_22 = { 395df0 7411 ff75f0 53 }
            // n = 4, score = 2100
            //   395df0               | je                  0x12
            //   7411                 | test                al, al
            //   ff75f0               | je                  8
            //   53                   | cmp                 cl, al

        $sequence_23 = { 399e70af0600 7514 c78678af060001000000 c78670af060000000100 68fcff0100 8d8670af0400 53 }
            // n = 7, score = 2100
            //   399e70af0600         | mov                 dword ptr [ebp - 0x34], esi
            //   7514                 | xor                 ebx, ebx
            //   c78678af060001000000     | mov    dword ptr [ebp - 0x30], ebx
            //   c78670af060000000100     | mov    dword ptr [esi + 0x14], 0xf
            //   68fcff0100           | mov                 dword ptr [esi + 0x10], ebx
            //   8d8670af0400         | mov                 dword ptr [ebp - 0x34], esi
            //   53                   | mov                 byte ptr [esi], bl

        $sequence_24 = { 50 53 ff75f0 ff15???????? 3bc3 }
            // n = 5, score = 2100
            //   50                   | mov                 eax, ecx
            //   53                   | push                eax
            //   ff75f0               | pop                 ecx
            //   ff15????????         |                     
            //   3bc3                 | pop                 ecx

        $sequence_25 = { 53 50 899e6caf0600 e8???????? }
            // n = 4, score = 2100
            //   53                   | mov                 dword ptr [ebp - 0x30], ebx
            //   50                   | mov                 dword ptr [esi + 0x14], 0xf
            //   899e6caf0600         | mov                 dword ptr [esi + 0x10], ebx
            //   e8????????           |                     

        $sequence_26 = { 395df0 740c ff75f0 ff15???????? 895df0 8d45f0 50 }
            // n = 7, score = 2100
            //   395df0               | push                -0x67
            //   740c                 | jmp                 0xffffffd2
            //   ff75f0               | jne                 0xe
            //   ff15????????         |                     
            //   895df0               | mov                 eax, dword ptr [ebp - 4]
            //   8d45f0               | cmp                 dword ptr [ebp - 8], eax
            //   50                   | jb                  0xffffff7d

        $sequence_27 = { 741d ff75f0 ff15???????? 895df0 395df0 740c ff75f0 }
            // n = 7, score = 2100
            //   741d                 | push                ebx
            //   ff75f0               | push                eax
            //   ff15????????         |                     
            //   895df0               | mov                 eax, ecx
            //   395df0               | push                eax
            //   740c                 | pop                 ecx
            //   ff75f0               | pop                 ecx

        $sequence_28 = { c3 55 8bec 83ec0c 8365fc00 8365f400 8365f800 }
            // n = 7, score = 1900
            //   c3                   | push                ebx
            //   55                   | push                edi
            //   8bec                 | call                edi
            //   83ec0c               | mov                 ebx, eax
            //   8365fc00             | push                ebx
            //   8365f400             | push                edi
            //   8365f800             | call                edi

        $sequence_29 = { 0faf450c 50 e8???????? 59 }
            // n = 4, score = 1800
            //   0faf450c             | mov                 dword ptr [ebp - 4], esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | fchs                

        $sequence_30 = { e8???????? c9 c3 55 8bec 83ec18 8b450c }
            // n = 7, score = 1800
            //   e8????????           |                     
            //   c9                   | push                4
            //   c3                   | mov                 ebx, eax
            //   55                   | add                 esp, 0x10
            //   8bec                 | test                ebx, ebx
            //   83ec18               | je                  0xa2
            //   8b450c               | push                1

        $sequence_31 = { 8d852cffffff 50 8d459c 50 }
            // n = 4, score = 1800
            //   8d852cffffff         | mov                 ebx, eax
            //   50                   | add                 esp, 0x10
            //   8d459c               | test                ebx, ebx
            //   50                   | je                  0xa2

        $sequence_32 = { c20400 56 8bf1 e8???????? 6a00 ff74240c 8bce }
            // n = 7, score = 1800
            //   c20400               | fstp                dword ptr [ebp - 0x100]
            //   56                   | fld                 dword ptr [ebp - 0x100]
            //   8bf1                 | pop                 esi
            //   e8????????           |                     
            //   6a00                 | ret                 4
            //   ff74240c             | push                dword ptr [esp + 8]
            //   8bce                 | pop                 ecx

        $sequence_33 = { 8b4120 8910 8b4130 8910 c3 56 }
            // n = 6, score = 1800
            //   8b4120               | cmp                 dword ptr [eax + 0x14], 8
            //   8910                 | mov                 byte ptr [ebp - 4], 1
            //   8b4130               | jb                  8
            //   8910                 | xor                 ebx, ebx
            //   c3                   | mov                 dword ptr [ebp - 0x30], ebx
            //   56                   | mov                 dword ptr [esi + 0x14], 0xf

        $sequence_34 = { 8b4508 8906 8b450c 894608 }
            // n = 4, score = 1800
            //   8b4508               | lea                 eax, [ebp + 0xc]
            //   8906                 | xor                 ebx, ebx
            //   8b450c               | mov                 dword ptr [ebp - 0x30], ebx
            //   894608               | mov                 dword ptr [esi + 0x14], 0xf

        $sequence_35 = { 6860ea0000 6a00 ff15???????? 50 ff15???????? }
            // n = 5, score = 800
            //   6860ea0000           | add                 esp, 0x10
            //   6a00                 | test                ebx, ebx
            //   ff15????????         |                     
            //   50                   | je                  0xa2
            //   ff15????????         |                     

        $sequence_36 = { 50 ff15???????? 6a1a e8???????? }
            // n = 4, score = 800
            //   50                   | push                1
            //   ff15????????         |                     
            //   6a1a                 | mov                 ebx, eax
            //   e8????????           |                     

        $sequence_37 = { 5f c21000 8bff 55 8bec 6a0a }
            // n = 6, score = 700
            //   5f                   | mov                 dword ptr [esp + 0x18], ebx
            //   c21000               | mov                 al, byte ptr [ebx]
            //   8bff                 | cmp                 al, 0x7f
            //   55                   | mov                 ebx, eax
            //   8bec                 | mov                 dword ptr [esp + 0x18], ebx
            //   6a0a                 | mov                 al, byte ptr [ebx]

        $sequence_38 = { e8???????? 83c410 85c0 7404 6a99 ebcc }
            // n = 6, score = 600
            //   e8????????           |                     
            //   83c410               | pop                 ecx
            //   85c0                 | cmp                 eax, -1
            //   7404                 | mov                 eax, esi
            //   6a99                 | pop                 esi
            //   ebcc                 | ret                 4

        $sequence_39 = { 7410 84c0 7406 3ac8 7c14 }
            // n = 5, score = 500
            //   7410                 | mov                 ecx, dword ptr [esp + 4]
            //   84c0                 | pop                 ecx
            //   7406                 | cmp                 eax, -1
            //   3ac8                 | jne                 8
            //   7c14                 | xor                 al, al

        $sequence_40 = { 750c 8b45fc 3945f8 0f8271ffffff }
            // n = 4, score = 500
            //   750c                 | cmp                 eax, -1
            //   8b45fc               | jne                 5
            //   3945f8               | xor                 al, al
            //   0f8271ffffff         | ret                 

        $sequence_41 = { 83f8ff 740c a810 7508 }
            // n = 4, score = 300
            //   83f8ff               | cmp                 eax, -1
            //   740c                 | je                  0xe
            //   a810                 | test                al, 0x10
            //   7508                 | jne                 0xa

        $sequence_42 = { 5b 5d c3 b84d5a0000 }
            // n = 4, score = 300
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   b84d5a0000           | mov                 eax, 0x5a4d

        $sequence_43 = { eb0b 8b45f4 0500040000 8945f4 }
            // n = 4, score = 200
            //   eb0b                 | mov                 esi, eax
            //   8b45f4               | movsx               eax, byte ptr [ebx + 1]
            //   0500040000           | push                eax
            //   8945f4               | mov                 eax, ecx

        $sequence_44 = { ff15???????? 4c8bc7 33d2 488bc8 ff15???????? e8???????? }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   4c8bc7               | dec                 esp
            //   33d2                 | mov                 eax, edi
            //   488bc8               | xor                 edx, edx
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_45 = { 83bc24ec00000000 b862fc57eb b93c51a311 0f44c1 e9???????? 3dd2a0a866 }
            // n = 6, score = 100
            //   83bc24ec00000000     | mov                 dword ptr [ebp - 0x30], ebx
            //   b862fc57eb           | mov                 dword ptr [esi + 0x14], 0xf
            //   b93c51a311           | mov                 dword ptr [esi + 0x10], ebx
            //   0f44c1               | mov                 dword ptr [ebp - 0x34], esi
            //   e9????????           |                     
            //   3dd2a0a866           | mov                 dword ptr [ebp - 4], ebx

        $sequence_46 = { 4103c0 f7f1 448bc0 0fbe05???????? 442bc0 418bc0 f2480f2ac0 }
            // n = 7, score = 100
            //   4103c0               | lea                 edx, [edx + 0x1af6d]
            //   f7f1                 | dec                 ebp
            //   448bc0               | lea                 eax, [edx + 0x1af6c]
            //   0fbe05????????       |                     
            //   442bc0               | jmp                 0x84
            //   418bc0               | dec                 ecx
            //   f2480f2ac0           | arpl                ax, ax

        $sequence_47 = { 4c8b542458 448b5c2470 41ffc3 e9???????? 4c8b4c2448 }
            // n = 5, score = 100
            //   4c8b542458           | dec                 ecx
            //   448b5c2470           | lea                 edx, [edx + 0x1af6d]
            //   41ffc3               | dec                 ebp
            //   e9????????           |                     
            //   4c8b4c2448           | lea                 eax, [edx + 0x1af6c]

        $sequence_48 = { 83bf4004000000 b8b524d5e3 b98efa4f77 0f44c1 }
            // n = 4, score = 100
            //   83bf4004000000       | cmp                 dword ptr [eax + 0x14], 8
            //   b8b524d5e3           | mov                 byte ptr [ebp - 4], 1
            //   b98efa4f77           | jb                  8
            //   0f44c1               | mov                 eax, dword ptr [eax]

        $sequence_49 = { 0fbef0 e8???????? 0fbed8 e8???????? 0fbe0d???????? }
            // n = 5, score = 100
            //   0fbef0               | mov                 edx, dword ptr [ecx + eax*4 + 0x1038]
            //   e8????????           |                     
            //   0fbed8               | inc                 ecx
            //   e8????????           |                     
            //   0fbe0d????????       |                     

        $sequence_50 = { e9???????? 81fa18070000 774c b92d000000 4c8d0d8df30000 33f6 448bd6 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81fa18070000         | jne                 0x1a
            //   774c                 | inc                 cx
            //   b92d000000           | inc                 dword ptr [edx + eax*4 + 0x20]
            //   4c8d0d8df30000       | dec                 ecx
            //   33f6                 | lea                 edx, [edx + 0x1af6d]
            //   448bd6               | dec                 ecx

        $sequence_51 = { 83bf3804000000 0f9544242f 8b05???????? 8d4801 }
            // n = 4, score = 100
            //   83bf3804000000       | xor                 ebx, ebx
            //   0f9544242f           | mov                 dword ptr [ebp - 0x30], ebx
            //   8b05????????         |                     
            //   8d4801               | mov                 dword ptr [esi + 0x14], 0xf

        $sequence_52 = { 4963c0 8b948138100000 418d40ff 89812c190000 }
            // n = 4, score = 100
            //   4963c0               | imul                eax, eax
            //   8b948138100000       | dec                 ecx
            //   418d40ff             | arpl                ax, ax
            //   89812c190000         | inc                 ecx

        $sequence_53 = { 4103d3 03ca 7409 c7459401000000 eb5a 0fbe0d???????? 418d1431 }
            // n = 7, score = 100
            //   4103d3               | lea                 eax, [eax - 1]
            //   03ca                 | mov                 dword ptr [ecx + 0x192c], eax
            //   7409                 | dec                 ecx
            //   c7459401000000       | arpl                ax, ax
            //   eb5a                 | mov                 edx, dword ptr [ecx + eax*4 + 0x1038]
            //   0fbe0d????????       |                     
            //   418d1431             | inc                 ecx

        $sequence_54 = { 4963c0 85d2 7516 6641ff448220 }
            // n = 4, score = 100
            //   4963c0               | arpl                word ptr [esi + 0x3c], di
            //   85d2                 | inc                 edx
            //   7516                 | cmp                 dword ptr [edi + esi], 0x4550
            //   6641ff448220         | je                  0x20

        $sequence_55 = { 8bd8 83c410 85db 0f849a000000 6a01 }
            // n = 5, score = 100
            //   8bd8                 | push                eax
            //   83c410               | mov                 eax, ecx
            //   85db                 | mov                 esi, eax
            //   0f849a000000         | movsx               eax, byte ptr [ebx + 1]
            //   6a01                 | push                eax

        $sequence_56 = { 83bc24ec02000000 0f9544244d 8b05???????? 8d4801 }
            // n = 4, score = 100
            //   83bc24ec02000000     | mov                 dword ptr [esi + 0x14], 0xf
            //   0f9544244d           | mov                 dword ptr [esi + 0x10], ebx
            //   8b05????????         |                     
            //   8d4801               | mov                 dword ptr [ebp - 0x34], esi

        $sequence_57 = { 8bd8 53 57 8b3d???????? ffd7 8b35???????? }
            // n = 6, score = 100
            //   8bd8                 | push                eax
            //   53                   | mov                 esi, eax
            //   57                   | movsx               eax, byte ptr [ebx + 1]
            //   8b3d????????         |                     
            //   ffd7                 | push                eax
            //   8b35????????         |                     

        $sequence_58 = { 8bd8 895c2418 8a03 3c7f }
            // n = 4, score = 100
            //   8bd8                 | push                ebx
            //   895c2418             | lea                 eax, [ebp - 0x10]
            //   8a03                 | push                eax
            //   3c7f                 | push                9

        $sequence_59 = { 4963763c 33c0 4903f6 4c89642478 4c8b6318 }
            // n = 5, score = 100
            //   4963763c             | mov                 eax, edi
            //   33c0                 | xor                 edx, edx
            //   4903f6               | dec                 eax
            //   4c89642478           | mov                 ecx, eax
            //   4c8b6318             | dec                 ecx

        $sequence_60 = { 83c003 83e0fc 488b4d98 8901 }
            // n = 4, score = 100
            //   83c003               | mov                 ecx, 0x11a3513c
            //   83e0fc               | cmove               eax, ecx
            //   488b4d98             | cmp                 eax, 0x66a8a0d2
            //   8901                 | je                  0x46

        $sequence_61 = { 03c1 0fbe0d???????? 33d2 f7f1 0fbe0d???????? 41bc00000000 3bc1 }
            // n = 7, score = 100
            //   03c1                 | arpl                ax, ax
            //   0fbe0d????????       |                     
            //   33d2                 | test                edx, edx
            //   f7f1                 | jne                 0x1a
            //   0fbe0d????????       |                     
            //   41bc00000000         | inc                 cx
            //   3bc1                 | inc                 dword ptr [edx + eax*4 + 0x20]

        $sequence_62 = { 4963c0 418b548500 440fb7042e 8d0413 }
            // n = 4, score = 100
            //   4963c0               | mov                 ebp, dword ptr [ebx + 8]
            //   418b548500           | dec                 ecx
            //   440fb7042e           | arpl                word ptr [esi + 0x3c], di
            //   8d0413               | inc                 edx

        $sequence_63 = { f30fe6c0 660f6ec8 f30fe6c9 f20f58c0 f20f5cc8 f20f58c9 f20f114c2448 }
            // n = 7, score = 100
            //   f30fe6c0             | dec                 ecx
            //   660f6ec8             | arpl                ax, ax
            //   f30fe6c9             | test                edx, edx
            //   f20f58c0             | jne                 0x1a
            //   f20f5cc8             | inc                 cx
            //   f20f58c9             | inc                 dword ptr [edx + eax*4 + 0x20]
            //   f20f114c2448         | dec                 ecx

        $sequence_64 = { 8bd8 895dd0 8b4de4 8d04cd00000000 }
            // n = 4, score = 100
            //   8bd8                 | lea                 eax, [ebp - 0x10]
            //   895dd0               | push                eax
            //   8b4de4               | push                9
            //   8d04cd00000000       | push                ebx

        $sequence_65 = { 83bc24ec00000000 b95357d886 b82e4d30a7 0f44c8 }
            // n = 4, score = 100
            //   83bc24ec00000000     | pop                 esi
            //   b95357d886           | pop                 ebp
            //   b82e4d30a7           | ret                 
            //   0f44c8               | push                ebp

        $sequence_66 = { 83c0d0 4889442448 b89907161e e9???????? }
            // n = 4, score = 100
            //   83c0d0               | cmp                 dword ptr [esp + 0x2ec], 0
            //   4889442448           | setne               byte ptr [esp + 0x4d]
            //   b89907161e           | lea                 ecx, [eax + 1]
            //   e9????????           |                     

        $sequence_67 = { 8bd8 895de0 c745fc00000000 8b55ec }
            // n = 4, score = 100
            //   8bd8                 | push                dword ptr [ebp - 0x10]
            //   895de0               | mov                 dword ptr [ebp - 0x10], ebx
            //   c745fc00000000       | cmp                 dword ptr [ebp - 0x10], ebx
            //   8b55ec               | je                  0x17

        $sequence_68 = { 49637e3c 42813c3750450000 7416 c743280b000000 }
            // n = 4, score = 100
            //   49637e3c             | dec                 esp
            //   42813c3750450000     | mov                 dword ptr [esp + 0x78], esp
            //   7416                 | dec                 esp
            //   c743280b000000       | mov                 esp, dword ptr [ebx + 0x18]

        $sequence_69 = { 83be1804000000 b8b0882305 b95ec7b6b6 0f44c1 }
            // n = 4, score = 100
            //   83be1804000000       | mov                 esi, dword ptr [ebp + 8]
            //   b8b0882305           | xor                 ebx, ebx
            //   b95ec7b6b6           | mov                 dword ptr [ebp - 0x30], ebx
            //   0f44c1               | mov                 dword ptr [esi + 0x14], 0xf

    condition:
        7 of them and filesize < 4751360
}
[TLP:WHITE] win_vidar_w0   (20190106 | Yara rule for detecting Vidar stealer)
rule win_vidar_w0 {
    meta:
        description = "Yara rule for detecting Vidar stealer"
        author = "Fumik0_"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s1 = { 56 69 64 61 72 }
        $s2 = { 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 }
        
    condition:
        all of them
}
Download all Yara Rules