SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vidar (Back to overview)

Vidar

Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.

References
2023-05-09eSentireRussianPanda
@online{russianpanda:20230509:esentire:3eaa138, author = {RussianPanda}, title = {{eSentire Threat Intelligence Malware Analysis: Vidar Stealer}}, date = {2023-05-09}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer}, language = {English}, urldate = {2023-05-25} } eSentire Threat Intelligence Malware Analysis: Vidar Stealer
Vidar
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-03-09eSentireeSentire Threat Response Unit (TRU)
@online{tru:20230309:batloader:db50046, author = {eSentire Threat Response Unit (TRU)}, title = {{BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif}}, date = {2023-03-09}, organization = {eSentire}, url = {https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif}, language = {English}, urldate = {2023-04-25} } BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif
BATLOADER ISFB Vidar
2023-02-200xToxin Labs@0xToxin
@online{0xtoxin:20230220:vidar:dd38156, author = {@0xToxin}, title = {{Vidar Stealer H&M Campaign}}, date = {2023-02-20}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/}, language = {English}, urldate = {2023-05-17} } Vidar Stealer H&M Campaign
Vidar
2023-02-06Quorum CyberQuorum Cyber
@techreport{cyber:20230206:malware:cc2dbc7, author = {Quorum Cyber}, title = {{Malware Analysis Report Vidar - Stealerware}}, date = {2023-02-06}, institution = {Quorum Cyber}, url = {https://www.quorumcyber.com/wp-content/uploads/2023/01/Malware-Analysis-Vidar.pdf}, language = {English}, urldate = {2023-04-25} } Malware Analysis Report Vidar - Stealerware
Vidar
2023-02-02YouTube (SLEUTHCON)Christopher Glyer, Microsoft Threat Intelligence Center (MSTIC)
@online{glyer:20230202:lions:b21e15a, author = {Christopher Glyer and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Lions, Tigers, and Infostealers - Oh my!}}, date = {2023-02-02}, organization = {YouTube (SLEUTHCON)}, url = {https://www.youtube.com/watch?v=NI_Yw2t9zoo}, language = {English}, urldate = {2023-04-25} } Lions, Tigers, and Infostealers - Oh my!
RecordBreaker RedLine Stealer Vidar
2023-01-31DarktraceRoberto Martinez
@online{martinez:20230131:vidar:32a27bd, author = {Roberto Martinez}, title = {{Vidar Info-Stealer Malware Distributed via Malvertising on Google}}, date = {2023-01-31}, organization = {Darktrace}, url = {https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google}, language = {English}, urldate = {2023-02-01} } Vidar Info-Stealer Malware Distributed via Malvertising on Google
Vidar
2023-01-24FortinetGeri Revay
@online{revay:20230124:year:00a1450, author = {Geri Revay}, title = {{The Year of the Wiper}}, date = {2023-01-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper}, language = {English}, urldate = {2023-01-25} } The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar
2023-01-19Team CymruS2 Research Team
@online{team:20230119:darth:4a19fc1, author = {S2 Research Team}, title = {{Darth Vidar: The Dark Side of Evolving Threat Infrastructure}}, date = {2023-01-19}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure}, language = {English}, urldate = {2023-01-19} } Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Vidar
2023-01-19Emerging ThreatsIsaac O'Shaughnessy
@online{oshaughnessy:20230119:vidar:669a33d, author = {Isaac O'Shaughnessy}, title = {{Vidar Stealer Picks Up Steam!}}, date = {2023-01-19}, organization = {Emerging Threats}, url = {https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271}, language = {English}, urldate = {2023-04-25} } Vidar Stealer Picks Up Steam!
Vidar
2023-01-12CynetKindra Cantrell
@online{cantrell:20230112:cyops:de2e706, author = {Kindra Cantrell}, title = {{CyOps Lighthouse: Vidar Stealer}}, date = {2023-01-12}, organization = {Cynet}, url = {https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/}, language = {English}, urldate = {2023-04-25} } CyOps Lighthouse: Vidar Stealer
Vidar
2022-12-31Jaalma's BlogJaalma
@online{jaalma:20221231:analyzing:f57c355, author = {Jaalma}, title = {{Analyzing a VIDAR Infostealer Sample}}, date = {2022-12-31}, organization = {Jaalma's Blog}, url = {https://blog.jaalma.io/vidar-infostealer-analysis/}, language = {English}, urldate = {2023-04-25} } Analyzing a VIDAR Infostealer Sample
Vidar
2022-12-17kienmanowar Blogm4n0w4r, Tran Trung Kien
@online{m4n0w4r:20221217:quicknote:9b33765, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] VidarStealer Analysis}}, date = {2022-12-17}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/12/17/quicknote-vidarstealer-analysis/}, language = {English}, urldate = {2022-12-19} } [QuickNote] VidarStealer Analysis
Vidar
2022-12-13KrollKeith Wojcieszek, Dave Truman, Stephen Green, George Glass
@online{wojcieszek:20221213:threat:0328cee, author = {Keith Wojcieszek and Dave Truman and Stephen Green and George Glass}, title = {{Threat Actors use Google Ads to Deploy VIDAR Stealer}}, date = {2022-12-13}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer}, language = {English}, urldate = {2023-04-25} } Threat Actors use Google Ads to Deploy VIDAR Stealer
Vidar
2022-12-08Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20221208:vidar:2ea18d3, author = {AhmedS Kasmani}, title = {{Vidar Stealer Malware Analysis}}, date = {2022-12-08}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=lxdlNOaHJQA}, language = {English}, urldate = {2023-04-25} } Vidar Stealer Malware Analysis
Vidar
2022-11-19MalwarologyRobert Simmons
@online{simmons:20221119:malicious:13718e6, author = {Robert Simmons}, title = {{Malicious Packer pkr_ce1a}}, date = {2022-11-19}, organization = {Malwarology}, url = {https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd}, language = {English}, urldate = {2022-11-25} } Malicious Packer pkr_ce1a
SmokeLoader Vidar
2022-11-08cybleCyble
@online{cyble:20221108:massive:0ed7213, author = {Cyble}, title = {{Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer}}, date = {2022-11-08}, organization = {cyble}, url = {https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/}, language = {English}, urldate = {2022-11-09} } Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer
RecordBreaker Vidar
2022-10-03Check PointMarc Salinas Fernandez
@online{fernandez:20221003:bumblebee:25732bf, author = {Marc Salinas Fernandez}, title = {{Bumblebee: increasing its capacity and evolving its TTPs}}, date = {2022-10-03}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/}, language = {English}, urldate = {2022-10-07} } Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2023-02-06} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-09-16Group-IBTwitter (@GroupIB_GIB)
@online{groupibgib:20220916:uber:255f13d, author = {Twitter (@GroupIB_GIB)}, title = {{Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer}}, date = {2022-09-16}, organization = {Group-IB}, url = {https://twitter.com/GroupIB_GIB/status/1570821174736850945}, language = {English}, urldate = {2022-09-19} } Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer
Raccoon Vidar
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-29SekoiaThreat & Detection Research Team
@online{team:20220829:traffers:8b7930b, author = {Threat & Detection Research Team}, title = {{Traffers: a deep dive into the information stealer ecosystem}}, date = {2022-08-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem}, language = {English}, urldate = {2022-08-31} } Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-02Recorded FutureInsikt Group
@techreport{group:20220802:initial:5caddb5, author = {Insikt Group}, title = {{Initial Access Brokers Are Key to Rise in Ransomware Attacks}}, date = {2022-08-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf}, language = {English}, urldate = {2022-08-05} } Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-13KELAKELA Cyber Intelligence Center
@online{center:20220713:next:b2e43e4, author = {KELA Cyber Intelligence Center}, title = {{The Next Generation of Info Stealers}}, date = {2022-07-13}, organization = {KELA}, url = {https://ke-la.com/information-stealers-a-new-landscape/}, language = {English}, urldate = {2022-07-18} } The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-05-19ZscalerSudeep Singh, Santiago Vicente, Brett Stone-Gross
@online{singh:20220519:vidar:1c68f0e, author = {Sudeep Singh and Santiago Vicente and Brett Stone-Gross}, title = {{Vidar distributed through backdoored Windows 11 downloads and abusing Telegram}}, date = {2022-05-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing}, language = {English}, urldate = {2022-05-25} } Vidar distributed through backdoored Windows 11 downloads and abusing Telegram
Vidar
2022-05-18Github (0x00-0x7f)Sadia Bashir
@online{bashir:20220518:case:986df17, author = {Sadia Bashir}, title = {{A Case of Vidar Infostealer - Part 2}}, date = {2022-05-18}, organization = {Github (0x00-0x7f)}, url = {https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/}, language = {English}, urldate = {2022-05-25} } A Case of Vidar Infostealer - Part 2
Vidar
2022-05-15Bleeping ComputerLawrence Abrams
@online{abrams:20220515:fake:13bfa09, author = {Lawrence Abrams}, title = {{Fake Pixelmon NFT site infects you with password-stealing malware}}, date = {2022-05-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/}, language = {English}, urldate = {2022-05-17} } Fake Pixelmon NFT site infects you with password-stealing malware
Vidar
2022-03-27Github (0x00-0x7f)Sadia Bashir
@online{bashir:20220327:case:80e7471, author = {Sadia Bashir}, title = {{A Case of Vidar Infostealer - Part 1 (Unpacking)}}, date = {2022-03-27}, organization = {Github (0x00-0x7f)}, url = {https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/}, language = {English}, urldate = {2022-03-31} } A Case of Vidar Infostealer - Part 1 (Unpacking)
Vidar
2022-03-24TrustwaveDiana Lopera
@online{lopera:20220324:vidar:ec04874, author = {Diana Lopera}, title = {{Vidar Malware Launcher Concealed in Help File}}, date = {2022-03-24}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/}, language = {English}, urldate = {2022-03-25} } Vidar Malware Launcher Concealed in Help File
Vidar
2022-03-24Threat PostNate Nelson
@online{nelson:20220324:microsoft:027f9d7, author = {Nate Nelson}, title = {{Microsoft Help Files Disguise Vidar Malware}}, date = {2022-03-24}, organization = {Threat Post}, url = {https://threatpost.com/microsoft-help-files-vidar-malware/179078/}, language = {English}, urldate = {2022-03-25} } Microsoft Help Files Disguise Vidar Malware
Vidar
2022-03-24CSO OnlineJon Gold
@online{gold:20220324:microsoft:1a7616f, author = {Jon Gold}, title = {{Microsoft help files repurposed to contain Vidar malware in new campaign}}, date = {2022-03-24}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html}, language = {English}, urldate = {2022-03-25} } Microsoft help files repurposed to contain Vidar malware in new campaign
Vidar
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220323:arkei:f9a44a4, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468}, language = {English}, urldate = {2023-04-25} } Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Oski Stealer Vidar
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220323:arkei:b2a08f5, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28468}, language = {English}, urldate = {2022-03-25} } Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Vidar
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022-02-06Github (eln0ty)Abdallah Elnoty
@online{elnoty:20220206:deep:d85c241, author = {Abdallah Elnoty}, title = {{Deep Analysis of Vidar Information Stealer}}, date = {2022-02-06}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/vidar/}, language = {English}, urldate = {2022-02-17} } Deep Analysis of Vidar Information Stealer
Vidar
2022-01-26AhnLabASEC Analysis Team
@online{team:20220126:vidar:3bf84d2, author = {ASEC Analysis Team}, title = {{Vidar Exploiting Social Media Platform (Mastodon)}}, date = {2022-01-26}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30875/}, language = {English}, urldate = {2022-02-01} } Vidar Exploiting Social Media Platform (Mastodon)
Vidar
2022-01-03AhnLabASEC Analysis Team
@online{team:20220103:distribution:6b19c5a, author = {ASEC Analysis Team}, title = {{Distribution of Redline Stealer Disguised as Software Crack}}, date = {2022-01-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30445/}, language = {English}, urldate = {2022-01-25} } Distribution of Redline Stealer Disguised as Software Crack
DanaBot RedLine Stealer Vidar
2021-10-27CERT.PLCERT.PL
@online{certpl:20211027:vidar:8fe3984, author = {CERT.PL}, title = {{Vidar stealer campaign targeting Baltic region and NATO entities}}, date = {2021-10-27}, organization = {CERT.PL}, url = {https://cert.pl/en/posts/2021/10/vidar-campaign/}, language = {English}, urldate = {2021-11-02} } Vidar stealer campaign targeting Baltic region and NATO entities
Vidar
2021-09-27Trend MicroRyan Maglaque, Joelson Soares, Gilbert Sison, Arianne Dela Cruz, Warren Sto.Tomas
@online{maglaque:20210927:fake:e02e3a3, author = {Ryan Maglaque and Joelson Soares and Gilbert Sison and Arianne Dela Cruz and Warren Sto.Tomas}, title = {{Fake Installers Drop Malware and Open Doors for Opportunistic Attackers}}, date = {2021-09-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html}, language = {English}, urldate = {2021-10-05} } Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
RedLine Stealer Socelars Vidar
2021-09-23Minerva LabsMinerva Labs
@online{labs:20210923:vidar:36d9ecf, author = {Minerva Labs}, title = {{Vidar Stealer Evasion Arsenal}}, date = {2021-09-23}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal}, language = {English}, urldate = {2021-10-05} } Vidar Stealer Evasion Arsenal
Vidar
2021-08-04ASECASEC
@online{asec:20210804:sw:fd538d1, author = {ASEC}, title = {{S/W Download Camouflage, Spreading Various Kinds of Malware}}, date = {2021-08-04}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/25837/}, language = {Korean}, urldate = {2022-03-07} } S/W Download Camouflage, Spreading Various Kinds of Malware
Raccoon RedLine Stealer Remcos Vidar
2021-07-16Malwarebytes LabsJérôme Segura
@online{segura:20210716:vidar:372aace, author = {Jérôme Segura}, title = {{Vidar and GandCrab: stealer and ransomware combo observed in the wild}}, date = {2021-07-16}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/}, language = {English}, urldate = {2022-04-12} } Vidar and GandCrab: stealer and ransomware combo observed in the wild
Gandcrab Vidar
2021-07-15Twitter (@hypen1117)Hypen
@online{hypen:20210715:vidar:a1d1821, author = {Hypen}, title = {{Vidar Stealer C&C Server List}}, date = {2021-07-15}, organization = {Twitter (@hypen1117)}, url = {https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk}, language = {English}, urldate = {2021-07-20} } Vidar Stealer C&C Server List
Vidar
2021-06-29Twitter (@sisoma2)sisoma2
@online{sisoma2:20210629:vidar:b63dd63, author = {sisoma2}, title = {{Tweet on vidar stealer using Tumblr to obtain dynamic config}}, date = {2021-06-29}, organization = {Twitter (@sisoma2)}, url = {https://twitter.com/sisoma2/status/1409816282065743872}, language = {English}, urldate = {2021-07-02} } Tweet on vidar stealer using Tumblr to obtain dynamic config
Vidar
2021-05-28Medium s2wlabSojun Ryu
@online{ryu:20210528:deep:c5d221c, author = {Sojun Ryu}, title = {{Deep Analysis of Vidar Stealer}}, date = {2021-05-28}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed}, language = {English}, urldate = {2021-06-16} } Deep Analysis of Vidar Stealer
Vidar
2021-05-24AhnLabASEC Analysis Team
@online{team:20210524:vidar:ea3dec5, author = {ASEC Analysis Team}, title = {{Vidar Info-Stealer Abusing Game Platform}}, date = {2021-05-24}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/22932/}, language = {English}, urldate = {2022-04-15} } Vidar Info-Stealer Abusing Game Platform
Vidar
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
@online{suh:20210203:w1:45a76f4, author = {Hyunmin Suh and Minjei Cho}, title = {{W1 Feb| EN | Story of the week: Stealers on the Darkweb}}, date = {2021-02-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d}, language = {English}, urldate = {2021-02-04} } W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2019-03-11tcontre
@online{tcontre:20190311:infor:d8863ed, author = {tcontre}, title = {{Infor Stealer Vidar TrojanSpy Analysis...}}, date = {2019-03-11}, url = {https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html}, language = {English}, urldate = {2020-01-05} } Infor Stealer Vidar TrojanSpy Analysis...
Vidar
2019-01-07Bleeping ComputerIonut Ilascu
@online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } GandCrab Operators Use Vidar Infostealer as a Forerunner
Gandcrab Vidar
2018-12-24fumik0 blogfumik0
@online{fumik0:20181224:lets:f7dfc2c, author = {fumik0}, title = {{Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)}}, date = {2018-12-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/}, language = {English}, urldate = {2022-01-12} } Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
Arkei Stealer Vidar
Yara Rules
[TLP:WHITE] win_vidar_auto (20230407 | Detects win.vidar.)
rule win_vidar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.vidar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1e810 25ff7f0000 c3 e8???????? }
            // n = 4, score = 2000
            //   c1e810               | shr                 eax, 0x10
            //   25ff7f0000           | and                 eax, 0x7fff
            //   c3                   | ret                 
            //   e8????????           |                     

        $sequence_1 = { 740a b800000500 e9???????? 57 }
            // n = 4, score = 2000
            //   740a                 | je                  0xc
            //   b800000500           | mov                 eax, 0x50000
            //   e9????????           |                     
            //   57                   | push                edi

        $sequence_2 = { 8b742408 8b865caf0100 57 83f808 }
            // n = 4, score = 2000
            //   8b742408             | mov                 esi, dword ptr [esp + 8]
            //   8b865caf0100         | mov                 eax, dword ptr [esi + 0x1af5c]
            //   57                   | push                edi
            //   83f808               | cmp                 eax, 8

        $sequence_3 = { c6043300 8bc6 5e 5b c20400 }
            // n = 5, score = 2000
            //   c6043300             | mov                 byte ptr [ebx + esi], 0
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c20400               | ret                 4

        $sequence_4 = { c9 c3 8b542408 85d2 7503 33c0 }
            // n = 6, score = 1900
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   85d2                 | test                edx, edx
            //   7503                 | jne                 5
            //   33c0                 | xor                 eax, eax

        $sequence_5 = { 5e c20400 ff742408 e8???????? 59 83f8ff 7503 }
            // n = 7, score = 1900
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   ff742408             | push                dword ptr [esp + 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f8ff               | cmp                 eax, -1
            //   7503                 | jne                 5

        $sequence_6 = { e8???????? 8b4638 83c410 33c9 3bc3 }
            // n = 5, score = 1900
            //   e8????????           |                     
            //   8b4638               | mov                 eax, dword ptr [esi + 0x38]
            //   83c410               | add                 esp, 0x10
            //   33c9                 | xor                 ecx, ecx
            //   3bc3                 | cmp                 eax, ebx

        $sequence_7 = { e8???????? 83c418 53 68???????? 53 }
            // n = 5, score = 1900
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   53                   | push                ebx
            //   68????????           |                     
            //   53                   | push                ebx

        $sequence_8 = { 75f8 be???????? 66a5 ff45ac }
            // n = 4, score = 1800
            //   75f8                 | jne                 0xfffffffa
            //   be????????           |                     
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   ff45ac               | inc                 dword ptr [ebp - 0x54]

        $sequence_9 = { 8a10 40 3ad3 75f9 2b450c }
            // n = 5, score = 1800
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   3ad3                 | cmp                 dl, bl
            //   75f9                 | jne                 0xfffffffb
            //   2b450c               | sub                 eax, dword ptr [ebp + 0xc]

        $sequence_10 = { 8910 8b4120 8910 8b4130 8910 c3 56 }
            // n = 7, score = 1700
            //   8910                 | mov                 dword ptr [eax], edx
            //   8b4120               | mov                 eax, dword ptr [ecx + 0x20]
            //   8910                 | mov                 dword ptr [eax], edx
            //   8b4130               | mov                 eax, dword ptr [ecx + 0x30]
            //   8910                 | mov                 dword ptr [eax], edx
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_11 = { 0faf450c 50 e8???????? 59 }
            // n = 4, score = 1700
            //   0faf450c             | imul                eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_12 = { c20400 56 8bf1 e8???????? 6a00 ff74240c 8bce }
            // n = 7, score = 1700
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   8bce                 | mov                 ecx, esi

        $sequence_13 = { 8b4508 8906 8b450c 894608 }
            // n = 4, score = 1700
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   894608               | mov                 dword ptr [esi + 8], eax

        $sequence_14 = { e8???????? 83c408 84c0 740e 68???????? }
            // n = 5, score = 300
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   84c0                 | test                al, al
            //   740e                 | je                  0x10
            //   68????????           |                     

        $sequence_15 = { 84c9 75f9 8b4c2410 2bc6 50 52 e8???????? }
            // n = 7, score = 300
            //   84c9                 | test                cl, cl
            //   75f9                 | jne                 0xfffffffb
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   2bc6                 | sub                 eax, esi
            //   50                   | push                eax
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_16 = { 83ec08 dd4508 dd1c24 6a0b }
            // n = 4, score = 200
            //   83ec08               | sub                 esp, 8
            //   dd4508               | fld                 qword ptr [ebp + 8]
            //   dd1c24               | fstp                qword ptr [esp]
            //   6a0b                 | push                0xb

        $sequence_17 = { 6a0b 6a08 e8???????? 83c41c }
            // n = 4, score = 200
            //   6a0b                 | push                0xb
            //   6a08                 | push                8
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c

        $sequence_18 = { 8bb42498090000 89942474090000 2bf0 6a00 56 ffb4248c090000 }
            // n = 6, score = 100
            //   8bb42498090000       | mov                 esi, dword ptr [esp + 0x998]
            //   89942474090000       | mov                 dword ptr [esp + 0x974], edx
            //   2bf0                 | sub                 esi, eax
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ffb4248c090000       | push                dword ptr [esp + 0x98c]

        $sequence_19 = { 8bb4249c090000 8b842490090000 0fb7fe c1ee10 }
            // n = 4, score = 100
            //   8bb4249c090000       | mov                 esi, dword ptr [esp + 0x99c]
            //   8b842490090000       | mov                 eax, dword ptr [esp + 0x990]
            //   0fb7fe               | movzx               edi, si
            //   c1ee10               | shr                 esi, 0x10

    condition:
        7 of them and filesize < 2793472
}
[TLP:WHITE] win_vidar_w0   (20190106 | Yara rule for detecting Vidar stealer)
rule win_vidar_w0 {
    meta:
        description = "Yara rule for detecting Vidar stealer"
        author = "Fumik0_"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s1 = { 56 69 64 61 72 }
        $s2 = { 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 }
        
    condition:
        all of them
}
Download all Yara Rules