SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vidar (Back to overview)

vidar


Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Ransomware vidar
2019-03-11tcontre
@online{tcontre:20190311:infor:d8863ed, author = {tcontre}, title = {{Infor Stealer Vidar TrojanSpy Analysis...}}, date = {2019-03-11}, url = {https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html}, language = {English}, urldate = {2020-01-05} } Infor Stealer Vidar TrojanSpy Analysis...
vidar
2019-01-07Bleeping ComputerIonut Ilascu
@online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } GandCrab Operators Use Vidar Infostealer as a Forerunner
Gandcrab vidar
2018-12-24fumik0 blogfumik0
@online{fumik0:20181224:lets:f7dfc2c, author = {fumik0}, title = {{Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)}}, date = {2018-12-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/}, language = {English}, urldate = {2020-01-13} } Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
vidar
Yara Rules
[TLP:WHITE] win_vidar_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_vidar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 8b742408 8b06 8b4804 6a0a }
            // n = 5, score = 1000
            //   56                   | push                esi
            //   8b742408             | mov                 esi, dword ptr [esp + 8]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   6a0a                 | push                0xa

        $sequence_1 = { c3 56 8d71f8 8bce e8???????? f644240801 7407 }
            // n = 7, score = 1000
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8d71f8               | lea                 esi, [ecx - 8]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   f644240801           | test                byte ptr [esp + 8], 1
            //   7407                 | je                  9

        $sequence_2 = { 8b4508 8906 8b450c 894608 }
            // n = 4, score = 1000
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   894608               | mov                 dword ptr [esi + 8], eax

        $sequence_3 = { e8???????? 59 83f8ff 7503 32c0 c3 8b4c2404 }
            // n = 7, score = 1000
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f8ff               | cmp                 eax, -1
            //   7503                 | jne                 5
            //   32c0                 | xor                 al, al
            //   c3                   | ret                 
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]

        $sequence_4 = { 5e c20400 b001 c3 33c0 }
            // n = 5, score = 1000
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   b001                 | mov                 al, 1
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax

        $sequence_5 = { c9 c3 8b542408 85d2 7503 33c0 c3 }
            // n = 7, score = 1000
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   85d2                 | test                edx, edx
            //   7503                 | jne                 5
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 

        $sequence_6 = { e8???????? 0fb6c0 50 ff742410 56 e8???????? 83c40c }
            // n = 7, score = 1000
            //   e8????????           |                     
            //   0fb6c0               | movzx               eax, al
            //   50                   | push                eax
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_7 = { 5e c20800 56 57 8b7c240c 8b07 }
            // n = 6, score = 1000
            //   5e                   | pop                 esi
            //   c20800               | ret                 8
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_8 = { c3 8bff 55 8bec 83ec0c c745fc00000000 }
            // n = 6, score = 200
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_9 = { 6a0b 6a10 e8???????? 83c41c 8be5 }
            // n = 5, score = 200
            //   6a0b                 | push                0xb
            //   6a10                 | push                0x10
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   8be5                 | mov                 esp, ebp

        $sequence_10 = { dc05???????? 83ec08 dd1c24 83ec08 dd4508 dd1c24 6a0b }
            // n = 7, score = 200
            //   dc05????????         |                     
            //   83ec08               | sub                 esp, 8
            //   dd1c24               | fstp                qword ptr [esp]
            //   83ec08               | sub                 esp, 8
            //   dd4508               | fld                 qword ptr [ebp + 8]
            //   dd1c24               | fstp                qword ptr [esp]
            //   6a0b                 | push                0xb

        $sequence_11 = { 8d4e01 894c2424 83fd10 723d 8b742430 56 50 }
            // n = 7, score = 100
            //   8d4e01               | lea                 ecx, [esi + 1]
            //   894c2424             | mov                 dword ptr [esp + 0x24], ecx
            //   83fd10               | cmp                 ebp, 0x10
            //   723d                 | jb                  0x3f
            //   8b742430             | mov                 esi, dword ptr [esp + 0x30]
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_12 = { e8???????? 83c418 837d0802 757f 8b4d08 8b148d48e94800 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   837d0802             | cmp                 dword ptr [ebp + 8], 2
            //   757f                 | jne                 0x81
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b148d48e94800       | mov                 edx, dword ptr [ecx*4 + 0x48e948]

        $sequence_13 = { e8???????? 83c404 8bd8 895dd0 8b4de4 8d04cd00000000 2bc1 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bd8                 | mov                 ebx, eax
            //   895dd0               | mov                 dword ptr [ebp - 0x30], ebx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   8d04cd00000000       | lea                 eax, [ecx*8]
            //   2bc1                 | sub                 eax, ecx

    condition:
        7 of them and filesize < 2793472
}
[TLP:WHITE] win_vidar_w0   (20190106 | Yara rule for detecting Vidar stealer)
rule win_vidar_w0 {
    meta:
        description = "Yara rule for detecting Vidar stealer"
        author = "Fumik0_"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s1 = { 56 69 64 61 72 }
        $s2 = { 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 }
        
    condition:
        all of them
}
Download all Yara Rules