SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vidar (Back to overview)

vidar

Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.

References
2021-07-15Twitter (@hypen1117)Hypen
@online{hypen:20210715:vidar:a1d1821, author = {Hypen}, title = {{Vidar Stealer C&C Server List}}, date = {2021-07-15}, organization = {Twitter (@hypen1117)}, url = {https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk}, language = {English}, urldate = {2021-07-20} } Vidar Stealer C&C Server List
vidar
2021-06-29Twitter (@sisoma2)sisoma2
@online{sisoma2:20210629:vidar:b63dd63, author = {sisoma2}, title = {{Tweet on vidar stealer using Tumblr to obtain dynamic config}}, date = {2021-06-29}, organization = {Twitter (@sisoma2)}, url = {https://twitter.com/sisoma2/status/1409816282065743872}, language = {English}, urldate = {2021-07-02} } Tweet on vidar stealer using Tumblr to obtain dynamic config
vidar
2021-05-28Medium s2wlabSojun Ryu
@online{ryu:20210528:deep:c5d221c, author = {Sojun Ryu}, title = {{Deep Analysis of Vidar Stealer}}, date = {2021-05-28}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed}, language = {English}, urldate = {2021-06-16} } Deep Analysis of Vidar Stealer
vidar
2021-05-24AhnLabAhnLab ASEC Analysis Team
@online{team:20210524:vidar:ea3dec5, author = {AhnLab ASEC Analysis Team}, title = {{Vidar Info-Stealer Abusing Game Platform}}, date = {2021-05-24}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/22932/}, language = {English}, urldate = {2021-06-16} } Vidar Info-Stealer Abusing Game Platform
vidar
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
@online{suh:20210203:w1:45a76f4, author = {Hyunmin Suh and Minjei Cho}, title = {{W1 Feb| EN | Story of the week: Stealers on the Darkweb}}, date = {2021-02-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d}, language = {English}, urldate = {2021-02-04} } W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon vidar
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP vidar
2019-03-11tcontre
@online{tcontre:20190311:infor:d8863ed, author = {tcontre}, title = {{Infor Stealer Vidar TrojanSpy Analysis...}}, date = {2019-03-11}, url = {https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html}, language = {English}, urldate = {2020-01-05} } Infor Stealer Vidar TrojanSpy Analysis...
vidar
2019-01-07Bleeping ComputerIonut Ilascu
@online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } GandCrab Operators Use Vidar Infostealer as a Forerunner
Gandcrab vidar
2018-12-24fumik0 blogfumik0
@online{fumik0:20181224:lets:f7dfc2c, author = {fumik0}, title = {{Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)}}, date = {2018-12-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/}, language = {English}, urldate = {2020-01-13} } Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
vidar
Yara Rules
[TLP:WHITE] win_vidar_auto (20210616 | Detects win.vidar.)
rule win_vidar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.vidar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c20400 ff742408 e8???????? 59 83f8ff 7503 32c0 }
            // n = 7, score = 1700
            //   c20400               | ret                 4
            //   ff742408             | push                dword ptr [esp + 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f8ff               | cmp                 eax, -1
            //   7503                 | jne                 5
            //   32c0                 | xor                 al, al

        $sequence_1 = { 83f8ff 7503 32c0 c3 8b4c2404 8801 b001 }
            // n = 7, score = 1700
            //   83f8ff               | cmp                 eax, -1
            //   7503                 | jne                 5
            //   32c0                 | xor                 al, al
            //   c3                   | ret                 
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   8801                 | mov                 byte ptr [ecx], al
            //   b001                 | mov                 al, 1

        $sequence_2 = { c9 c3 8b542408 85d2 7503 }
            // n = 5, score = 1700
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   85d2                 | test                edx, edx
            //   7503                 | jne                 5

        $sequence_3 = { 8910 8b4130 8910 c3 56 }
            // n = 5, score = 1700
            //   8910                 | mov                 dword ptr [eax], edx
            //   8b4130               | mov                 eax, dword ptr [ecx + 0x30]
            //   8910                 | mov                 dword ptr [eax], edx
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_4 = { c20400 56 8bf1 8b4e20 33c0 3901 7405 }
            // n = 7, score = 1700
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8b4e20               | mov                 ecx, dword ptr [esi + 0x20]
            //   33c0                 | xor                 eax, eax
            //   3901                 | cmp                 dword ptr [ecx], eax
            //   7405                 | je                  7

        $sequence_5 = { c20400 56 8bf1 e8???????? 6a00 ff74240c 8bce }
            // n = 7, score = 1700
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   8bce                 | mov                 ecx, esi

        $sequence_6 = { c3 56 8d71f8 8bce }
            // n = 4, score = 1700
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8d71f8               | lea                 esi, dword ptr [ecx - 8]
            //   8bce                 | mov                 ecx, esi

        $sequence_7 = { c20800 56 57 8b7c240c 8b07 8bf1 }
            // n = 6, score = 1700
            //   c20800               | ret                 8
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8bf1                 | mov                 esi, ecx

        $sequence_8 = { c3 8bff 55 8bec 83ec0c c745fc00000000 }
            // n = 6, score = 200
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_9 = { dd1c24 83ec08 dd4508 dd1c24 6a0b 6a10 e8???????? }
            // n = 7, score = 200
            //   dd1c24               | fstp                qword ptr [esp]
            //   83ec08               | sub                 esp, 8
            //   dd4508               | fld                 qword ptr [ebp + 8]
            //   dd1c24               | fstp                qword ptr [esp]
            //   6a0b                 | push                0xb
            //   6a10                 | push                0x10
            //   e8????????           |                     

        $sequence_10 = { dd4508 dd1c24 6a0b 6a08 e8???????? 83c41c }
            // n = 6, score = 200
            //   dd4508               | fld                 qword ptr [ebp + 8]
            //   dd1c24               | fstp                qword ptr [esp]
            //   6a0b                 | push                0xb
            //   6a08                 | push                8
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c

        $sequence_11 = { 0006 4a 42 0032 }
            // n = 4, score = 100
            //   0006                 | add                 byte ptr [esi], al
            //   4a                   | dec                 edx
            //   42                   | inc                 edx
            //   0032                 | add                 byte ptr [edx], dh

        $sequence_12 = { 000d???????? 45 43 001f }
            // n = 4, score = 100
            //   000d????????         |                     
            //   45                   | inc                 ebp
            //   43                   | inc                 ebx
            //   001f                 | add                 byte ptr [edi], bl

        $sequence_13 = { 0013 17 43 0020 }
            // n = 4, score = 100
            //   0013                 | add                 byte ptr [ebx], dl
            //   17                   | pop                 ss
            //   43                   | inc                 ebx
            //   0020                 | add                 byte ptr [eax], ah

    condition:
        7 of them and filesize < 2793472
}
[TLP:WHITE] win_vidar_w0   (20190106 | Yara rule for detecting Vidar stealer)
rule win_vidar_w0 {
    meta:
        description = "Yara rule for detecting Vidar stealer"
        author = "Fumik0_"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s1 = { 56 69 64 61 72 }
        $s2 = { 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 }
        
    condition:
        all of them
}
Download all Yara Rules