{ "id": "12bd51c7-4031-42e3-9060-6ca278547d04", "created_at": "2026-04-06T00:17:31.536981Z", "updated_at": "2026-04-10T03:37:08.756364Z", "deleted_at": null, "sha1_hash": "0b7e9698c7f430e34a725326c0a7e9db90453da3", "title": "Infor Stealer Vidar TrojanSpy Analysis...", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 746652, "plain_text": "Infor Stealer Vidar TrojanSpy Analysis...\r\nPublished: 2019-03-11 · Archived: 2026-04-02 11:43:58 UTC\r\nWhen I first got this malware sample, I thought this is a new variant of azorult because the strings, some code are\r\nreally the same but this malware does some features that azorult not and vice versa. This malware family is known\r\nto be named as VIDAR that try to steal some sensitive information of the machine, browser, bitcoin wallet and etc.\r\nKill Switch:\r\nThe first part of this malware is a kill switch where it will exit its code if the LocaleName is either of the\r\nfollowing: \r\nru-Ru - Russian\r\nbe-BY - Belarusian\r\nuz-UZ - Uzbekistan\r\n kk-KZ - Kazakhstan\r\n az-AZ - Azerbaijan\r\nresource: http://www.lingoes.net/en/translator/langcode.htm\r\nIf LocaleName is not of those list, it will create a Mutex name base on the HardwareGUID \u0026 machineGUID of\r\nthe infected machine.\r\nfigure 1: the Kill switch\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 1 of 10\n\nOther Behavior:\r\nIt will now initialized a bunch of strings and commands that can be use as IOC for this malware.\r\nfigure 2: part of string initialization\r\nThen it will generate a random folder name in %programdata% directory and create a \"files\" folder inside it, that\r\nwill contain all the information it will parse in the infected machine.\r\nfigure 3: the generated folder for  the information it steal.\r\nthen it will try to contact \"http://ip-api.com/line/\" to retrieve some network information of the infected machine\r\nand log it to a  \"information.txt\".\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 2 of 10\n\nfigure 4: retrieving network information\r\n The \"files/information.txt\" also contains several sensitive information of the infected machine that will be soon\r\nsend to its C\u0026C server. The way it parse this stuff is really interesting, most of them are parse within registry or by\r\nusing Windows API.\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 3 of 10\n\nfigure 5: information.txt\r\nIt also has a features to steal some known bitcoin wallet: Ethereum, Electrum, ElectronCash, Exodus, MultiDoge,\r\nJAXX.\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 4 of 10\n\nfigure 6: bitcoin wallet parsing\r\nIt also do some sub-string check in wallet.dat for noteworthy strings.\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 5 of 10\n\nfigure 7: checking substring in wallet.dat\r\nCan do some screenshots of the infected machine.\r\nfigure 7: creating screenshots\r\nIt also tries to parse some credentials within different browsers.\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 6 of 10\n\nfigure 9: parsing credentials in different browsers\r\nand for browsers that using sql database for saving cookies, log-in information, history and etc. it will download\r\nseveral normal dll file from its C\u0026C server to execute SQL command to parse those information.\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 7 of 10\n\nfigure 10: nss3.dll for parsing sqlite db of browser\r\nafter parsing all the sensitive information, it will delete all those dll's to erase its footprints in the machine.\r\nfigure 11: delete foot prints\r\nit also has a function where it enumerate the outlook signature and look for \"Password entry\".\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 8 of 10\n\nThen it it will send a post command to its C\u0026C server that contains the zip of all logs it parsed in the infected\r\nmachine.\r\nConclusion:  \r\nThis malware really show some interesting stuff how to grab some sensitive information within a windows\r\nsystem where it taking advantage several data keeps by browser, bitcoin wallet and many more.\r\nIOC :\r\nSha1: 29818d101ebd8216bcaf627b4a5a0bcb753343ad\r\nSha256: 076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c\r\nYARA :\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 9 of 10\n\nimport \"pe\"\r\nrule vidar_win32_unpack {\r\n    meta:\r\n        author =  \"tcontre\"\r\n        description = \"detecting vidar unpack malware\"\r\n        date =  \"2019-03-11\"\r\n        sha256 = \"076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c\"\r\n      strings:\r\n        $mz = { 4d 5a }\r\n              $s1 = \"SELECT host, name, value FROM moz_cookies\" fullword     \r\n        $s2 = \"Vidar Version:\" fullword\r\n        $s3 = \"card_number_encrypted FROM credit_cards\" fullword\r\n        $c0 = \"softokn3.dll\" fullword\r\n        $c1 = \"nss3.dll\" fullword\r\n        $c2 = \"mozglue.dll\" fullword\r\n        $c3 = \"freebl3.dll\" fullword\r\n        $code1 = { C6 45 FC 30 E8 ?? ?? ?? ?? 83 78 14 08 C6 45 FC 31 72 02 }\r\n                   condition:\r\n        ($mz at 0) and all of ($s*) and 2 of ($c*) and all of ($code*)\r\n          }\r\nSource: https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nhttps://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html" ], "report_names": [ "infor-stealer-vidar-trojanspy-analysis.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434651, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b7e9698c7f430e34a725326c0a7e9db90453da3.pdf", "text": "https://archive.orkl.eu/0b7e9698c7f430e34a725326c0a7e9db90453da3.txt", "img": "https://archive.orkl.eu/0b7e9698c7f430e34a725326c0a7e9db90453da3.jpg" } }