SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vidar (Back to overview)

Vidar

VTCollection    

Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.

References
2023-12-06Twitter (@embee_research)Embee_research
Ghidra Basics - Identifying, Decoding and Fixing Encrypted Strings
Vidar
2023-11-30Medium g0njxag0njxa
Approaching stealers devs : a brief interview with Vidar
Vidar
2023-11-21CensysAidan Holland
Tracking Vidar Infrastructure with Censys
Vidar
2023-11-16CISACISA
Scattered Spider
Ave Maria BlackCat Raccoon Vidar
2023-11-16CISACISA
Scattered Spider
BlackCat Ave Maria Raccoon Vidar
2023-10-27ElasticJoe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-07-24M4lcodeMostafa Farghaly
Deep Analysis of Vidar Stealer
Arkei Stealer Vidar
2023-06-15Team CymruS2 Research Team
Darth Vidar: The Aesir Strike Back
Vidar
2023-05-16SecureworksCounter Threat Unit ResearchTeam
The Growing Threat from Infostealers
Graphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar
2023-05-09eSentireRussianPanda
eSentire Threat Intelligence Malware Analysis: Vidar Stealer
Vidar
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-03-30eSentireeSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar
2023-03-09eSentireeSentire Threat Response Unit (TRU)
BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif
BATLOADER ISFB Vidar
2023-02-200xToxin Labs@0xToxin
Vidar Stealer H&M Campaign
Vidar
2023-02-06Quorum CyberQuorum Cyber
Malware Analysis Report Vidar - Stealerware
Vidar
2023-02-02YouTube (SLEUTHCON)Christopher Glyer, Microsoft Threat Intelligence Center (MSTIC)
Lions, Tigers, and Infostealers - Oh my!
RecordBreaker RedLine Stealer Vidar
2023-01-31DarktraceRoberto Martinez
Vidar Info-Stealer Malware Distributed via Malvertising on Google
Vidar
2023-01-24FortinetGeri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar
2023-01-19Emerging ThreatsIsaac O'Shaughnessy
Vidar Stealer Picks Up Steam!
Vidar
2023-01-19Team CymruS2 Research Team
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Vidar
2023-01-12CynetKindra Cantrell
CyOps Lighthouse: Vidar Stealer
Vidar
2022-12-31Jaalma's BlogJaalma
Analyzing a VIDAR Infostealer Sample
Vidar
2022-12-17kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] VidarStealer Analysis
Vidar
2022-12-13KrollDave Truman, George Glass, Keith Wojcieszek, Stephen Green
Threat Actors use Google Ads to Deploy VIDAR Stealer
Vidar
2022-12-08Youtube (AhmedS Kasmani)AhmedS Kasmani
Vidar Stealer Malware Analysis
Vidar
2022-11-19MalwarologyRobert Simmons
Malicious Packer pkr_ce1a
SmokeLoader Vidar
2022-11-15SOC PrimeVeronika Telychko
Somnia Malware Detection: UAC-0118 aka FRwL Launches Cyber Attacks Against Organizations in Ukraine Using Enhanced Malware Strains
Cobalt Strike Vidar UAC-0118
2022-11-08cybleCyble
Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer
RecordBreaker Vidar
2022-10-03Check PointMarc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-09-26KasperskyArtem Ushkov, Haim Zigel, Oleg Kupreev
NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-09-16Group-IBTwitter (@GroupIB_GIB)
Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer
Raccoon Vidar
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-29SekoiaThreat & Detection Research Team
Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-02Recorded FutureInsikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-13KELAKELA Cyber Intelligence Center
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-05-19ZscalerBrett Stone-Gross, Santiago Vicente, Sudeep Singh
Vidar distributed through backdoored Windows 11 downloads and abusing Telegram
Vidar
2022-05-18Github (0x00-0x7f)Sadia Bashir
A Case of Vidar Infostealer - Part 2
Vidar
2022-05-15Bleeping ComputerLawrence Abrams
Fake Pixelmon NFT site infects you with password-stealing malware
Vidar
2022-03-27Github (0x00-0x7f)Sadia Bashir
A Case of Vidar Infostealer - Part 1 (Unpacking)
Vidar
2022-03-24TrustwaveDiana Lopera
Vidar Malware Launcher Concealed in Help File
Vidar
2022-03-24CSO OnlineJon Gold
Microsoft help files repurposed to contain Vidar malware in new campaign
Vidar
2022-03-24Threat PostNate Nelson
Microsoft Help Files Disguise Vidar Malware
Vidar
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Vidar
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Oski Stealer Vidar
2022-02-08Intel 471Intel 471
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022-02-06Github (eln0ty)Abdallah Elnoty
Deep Analysis of Vidar Information Stealer
Vidar
2022-01-26AhnLabASEC Analysis Team
Vidar Exploiting Social Media Platform (Mastodon)
Vidar
2022-01-03AhnLabASEC Analysis Team
Distribution of Redline Stealer Disguised as Software Crack
DanaBot RedLine Stealer Vidar
2021-10-27CERT.PLCERT.PL
Vidar stealer campaign targeting Baltic region and NATO entities
Vidar
2021-09-27Trend MicroArianne Dela Cruz, Gilbert Sison, Joelson Soares, Ryan Maglaque, Warren Sto.Tomas
Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
RedLine Stealer Socelars Vidar
2021-09-23Minerva LabsMinerva Labs
Vidar Stealer Evasion Arsenal
Vidar
2021-08-04ASECASEC
S/W Download Camouflage, Spreading Various Kinds of Malware
Raccoon RedLine Stealer Remcos Vidar
2021-07-16Malwarebytes LabsJérôme Segura
Vidar and GandCrab: stealer and ransomware combo observed in the wild
Gandcrab Vidar
2021-07-15Twitter (@hypen1117)Hypen
Vidar Stealer C&C Server List
Vidar
2021-06-29Twitter (@sisoma2)sisoma2
Tweet on vidar stealer using Tumblr to obtain dynamic config
Vidar
2021-05-28Medium s2wlabSojun Ryu
Deep Analysis of Vidar Stealer
Vidar
2021-05-24AhnLabASEC Analysis Team
Vidar Info-Stealer Abusing Game Platform
Vidar
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-05CybereasonAssaf Dahan, Lior Rochberger
The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2019-03-11tcontre
Infor Stealer Vidar TrojanSpy Analysis...
Vidar
2019-01-07Bleeping ComputerIonut Ilascu
GandCrab Operators Use Vidar Infostealer as a Forerunner
Gandcrab Vidar
2018-12-24fumik0 blogfumik0
Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
Arkei Stealer Vidar
Yara Rules
[TLP:WHITE] win_vidar_auto (20230808 | Detects win.vidar.)
rule win_vidar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.vidar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 25ff7f0000 c3 e8???????? 8b486c 3b0d???????? 7410 }
            // n = 6, score = 2600
            //   25ff7f0000           | and                 eax, 0x7fff
            //   c3                   | ret                 
            //   e8????????           |                     
            //   8b486c               | mov                 ecx, dword ptr [eax + 0x6c]
            //   3b0d????????         |                     
            //   7410                 | je                  0x12

        $sequence_1 = { 05c39e2600 894114 c1e810 25ff7f0000 c3 e8???????? }
            // n = 6, score = 2600
            //   05c39e2600           | add                 eax, 0x269ec3
            //   894114               | mov                 dword ptr [ecx + 0x14], eax
            //   c1e810               | shr                 eax, 0x10
            //   25ff7f0000           | and                 eax, 0x7fff
            //   c3                   | ret                 
            //   e8????????           |                     

        $sequence_2 = { 8d8d68fdffff 51 50 ff15???????? }
            // n = 4, score = 2500
            //   8d8d68fdffff         | lea                 ecx, [ebp - 0x298]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { 7202 8b00 8d8d68fdffff 51 }
            // n = 4, score = 2500
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8d8d68fdffff         | lea                 ecx, [ebp - 0x298]
            //   51                   | push                ecx

        $sequence_4 = { 740a b800000500 e9???????? 57 }
            // n = 4, score = 2400
            //   740a                 | je                  0xc
            //   b800000500           | mov                 eax, 0x50000
            //   e9????????           |                     
            //   57                   | push                edi

        $sequence_5 = { 56 8b742408 8b865caf0100 57 }
            // n = 4, score = 2400
            //   56                   | push                esi
            //   8b742408             | mov                 esi, dword ptr [esp + 8]
            //   8b865caf0100         | mov                 eax, dword ptr [esi + 0x1af5c]
            //   57                   | push                edi

        $sequence_6 = { 895dd0 c746140f000000 895e10 8975cc }
            // n = 4, score = 2400
            //   895dd0               | mov                 dword ptr [ebp - 0x30], ebx
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   895e10               | mov                 dword ptr [esi + 0x10], ebx
            //   8975cc               | mov                 dword ptr [ebp - 0x34], esi

        $sequence_7 = { 8b8648af0100 c1e803 038644af0100 5e 5d c3 }
            // n = 6, score = 2400
            //   8b8648af0100         | mov                 eax, dword ptr [esi + 0x1af48]
            //   c1e803               | shr                 eax, 3
            //   038644af0100         | add                 eax, dword ptr [esi + 0x1af44]
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_8 = { 895dfc e8???????? 83781408 c645fc01 }
            // n = 4, score = 2400
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   e8????????           |                     
            //   83781408             | cmp                 dword ptr [eax + 0x14], 8
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1

        $sequence_9 = { 8b7508 33ff 89b55cfdffff 89bd60fdffff }
            // n = 4, score = 2400
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   33ff                 | xor                 edi, edi
            //   89b55cfdffff         | mov                 dword ptr [ebp - 0x2a4], esi
            //   89bd60fdffff         | mov                 dword ptr [ebp - 0x2a0], edi

        $sequence_10 = { 5f c6043300 8bc6 5e 5b c20400 }
            // n = 6, score = 2400
            //   5f                   | pop                 edi
            //   c6043300             | mov                 byte ptr [ebx + esi], 0
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c20400               | ret                 4

        $sequence_11 = { 50 ff15???????? 8b4da0 8901 85c0 }
            // n = 5, score = 2300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4da0               | mov                 ecx, dword ptr [ebp - 0x60]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   85c0                 | test                eax, eax

        $sequence_12 = { 83781410 7202 8b00 50 8b45a0 }
            // n = 5, score = 2300
            //   83781410             | cmp                 dword ptr [eax + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   50                   | push                eax
            //   8b45a0               | mov                 eax, dword ptr [ebp - 0x60]

        $sequence_13 = { eb02 33c0 5f 5e c9 c3 6a04 }
            // n = 7, score = 2300
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 
            //   6a04                 | push                4

        $sequence_14 = { 5e c20400 ff742408 e8???????? 59 83f8ff 7503 }
            // n = 7, score = 2300
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   ff742408             | push                dword ptr [esp + 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f8ff               | cmp                 eax, -1
            //   7503                 | jne                 5

        $sequence_15 = { c9 c3 8b542408 85d2 7503 }
            // n = 5, score = 2300
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   85d2                 | test                edx, edx
            //   7503                 | jne                 5

        $sequence_16 = { 0fb605???????? 50 0fb605???????? 50 0fb605???????? 50 6a01 }
            // n = 7, score = 2200
            //   0fb605????????       |                     
            //   50                   | push                eax
            //   0fb605????????       |                     
            //   50                   | push                eax
            //   0fb605????????       |                     
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_17 = { 53 50 899e6caf0600 e8???????? }
            // n = 4, score = 2100
            //   53                   | push                ebx
            //   50                   | push                eax
            //   899e6caf0600         | mov                 dword ptr [esi + 0x6af6c], ebx
            //   e8????????           |                     

        $sequence_18 = { 53 68???????? 8d8da8000000 e8???????? }
            // n = 4, score = 2100
            //   53                   | push                ebx
            //   68????????           |                     
            //   8d8da8000000         | lea                 ecx, [ebp + 0xa8]
            //   e8????????           |                     

        $sequence_19 = { c3 55 8bec 83ec0c 8365fc00 8365f400 8365f800 }
            // n = 7, score = 1900
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8365f400             | and                 dword ptr [ebp - 0xc], 0
            //   8365f800             | and                 dword ptr [ebp - 8], 0

        $sequence_20 = { c20400 56 8bf1 e8???????? 6a00 ff74240c 8bce }
            // n = 7, score = 1800
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   8bce                 | mov                 ecx, esi

        $sequence_21 = { 0faf450c 50 e8???????? 59 }
            // n = 4, score = 1800
            //   0faf450c             | imul                eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_22 = { 8b4508 8906 8b450c 894608 }
            // n = 4, score = 1800
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   894608               | mov                 dword ptr [esi + 8], eax

        $sequence_23 = { 8b4120 8910 8b4130 8910 c3 56 }
            // n = 6, score = 1800
            //   8b4120               | mov                 eax, dword ptr [ecx + 0x20]
            //   8910                 | mov                 dword ptr [eax], edx
            //   8b4130               | mov                 eax, dword ptr [ecx + 0x30]
            //   8910                 | mov                 dword ptr [eax], edx
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_24 = { e8???????? c9 c3 55 8bec 83ec18 8b450c }
            // n = 7, score = 1800
            //   e8????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec18               | sub                 esp, 0x18
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_25 = { 8d852cffffff 50 8d459c 50 }
            // n = 4, score = 1800
            //   8d852cffffff         | lea                 eax, [ebp - 0xd4]
            //   50                   | push                eax
            //   8d459c               | lea                 eax, [ebp - 0x64]
            //   50                   | push                eax

        $sequence_26 = { 6860ea0000 6a00 ff15???????? 50 }
            // n = 4, score = 800
            //   6860ea0000           | push                0xea60
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_27 = { 50 ff15???????? 6a1a e8???????? }
            // n = 4, score = 800
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a1a                 | push                0x1a
            //   e8????????           |                     

        $sequence_28 = { 5f c21000 8bff 55 8bec 6a0a }
            // n = 6, score = 700
            //   5f                   | pop                 edi
            //   c21000               | ret                 0x10
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   6a0a                 | push                0xa

        $sequence_29 = { e8???????? 83c410 85c0 7404 6a99 ebcc }
            // n = 6, score = 600
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6
            //   6a99                 | push                -0x67
            //   ebcc                 | jmp                 0xffffffce

        $sequence_30 = { 7410 84c0 7406 3ac8 7c14 }
            // n = 5, score = 500
            //   7410                 | je                  0x12
            //   84c0                 | test                al, al
            //   7406                 | je                  8
            //   3ac8                 | cmp                 cl, al
            //   7c14                 | jl                  0x16

        $sequence_31 = { 7408 ff36 e8???????? 59 834e04ff 8b06 }
            // n = 6, score = 500
            //   7408                 | je                  0xa
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   834e04ff             | or                  dword ptr [esi + 4], 0xffffffff
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_32 = { e8???????? 83c408 84c0 740e 68???????? }
            // n = 5, score = 300
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   84c0                 | test                al, al
            //   740e                 | je                  0x10
            //   68????????           |                     

        $sequence_33 = { 6a0b 6a10 e8???????? 83c41c 8be5 }
            // n = 5, score = 200
            //   6a0b                 | push                0xb
            //   6a10                 | push                0x10
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   8be5                 | mov                 esp, ebp

        $sequence_34 = { eb0b 8b45f4 0500040000 8945f4 }
            // n = 4, score = 200
            //   eb0b                 | jmp                 0xd
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   0500040000           | add                 eax, 0x400
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_35 = { 83ec08 dd4508 dd1c24 6a0b 6a08 }
            // n = 5, score = 200
            //   83ec08               | sub                 esp, 8
            //   dd4508               | fld                 qword ptr [ebp + 8]
            //   dd1c24               | fstp                qword ptr [esp]
            //   6a0b                 | push                0xb
            //   6a08                 | push                8

        $sequence_36 = { 8bc6 8b35???????? 99 2bc2 }
            // n = 4, score = 100
            //   8bc6                 | mov                 eax, esi
            //   8b35????????         |                     
            //   99                   | cdq                 
            //   2bc2                 | sub                 eax, edx

        $sequence_37 = { 8bc6 5f 5e 5d 5b 81c460010000 c3 }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   81c460010000         | add                 esp, 0x160
            //   c3                   | ret                 

    condition:
        7 of them and filesize < 2793472
}
[TLP:WHITE] win_vidar_w0   (20190106 | Yara rule for detecting Vidar stealer)
rule win_vidar_w0 {
    meta:
        description = "Yara rule for detecting Vidar stealer"
        author = "Fumik0_"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s1 = { 56 69 64 61 72 }
        $s2 = { 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 }
        
    condition:
        all of them
}
Download all Yara Rules