Infor Stealer Vidar TrojanSpy Analysis...
Published: 2019-03-11 · Archived: 2026-04-02 11:43:58 UTC
When I first got this malware sample, I thought this is a new variant of azorult because the strings, some code are
really the same but this malware does some features that azorult not and vice versa. This malware family is known
to be named as VIDAR that try to steal some sensitive information of the machine, browser, bitcoin wallet and etc.
Kill Switch:
The first part of this malware is a kill switch where it will exit its code if the LocaleName is either of the
following: 
ru-Ru - Russian
be-BY - Belarusian
uz-UZ - Uzbekistan
 kk-KZ - Kazakhstan
 az-AZ - Azerbaijan
resource: http://www.lingoes.net/en/translator/langcode.htm
If LocaleName is not of those list, it will create a Mutex name base on the HardwareGUID & machineGUID of
the infected machine.
figure 1: the Kill switch
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 1 of 10

Other Behavior:
It will now initialized a bunch of strings and commands that can be use as IOC for this malware.
figure 2: part of string initialization
Then it will generate a random folder name in %programdata% directory and create a "files" folder inside it, that
will contain all the information it will parse in the infected machine.
figure 3: the generated folder for  the information it steal.
then it will try to contact "http://ip-api.com/line/" to retrieve some network information of the infected machine
and log it to a  "information.txt".
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 2 of 10

figure 4: retrieving network information
 The "files/information.txt" also contains several sensitive information of the infected machine that will be soon
send to its C&C server. The way it parse this stuff is really interesting, most of them are parse within registry or by
using Windows API.
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 3 of 10

figure 5: information.txt
It also has a features to steal some known bitcoin wallet: Ethereum, Electrum, ElectronCash, Exodus, MultiDoge,
JAXX.
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 4 of 10

figure 6: bitcoin wallet parsing
It also do some sub-string check in wallet.dat for noteworthy strings.
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 5 of 10

figure 7: checking substring in wallet.dat
Can do some screenshots of the infected machine.
figure 7: creating screenshots
It also tries to parse some credentials within different browsers.
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 6 of 10

figure 9: parsing credentials in different browsers
and for browsers that using sql database for saving cookies, log-in information, history and etc. it will download
several normal dll file from its C&C server to execute SQL command to parse those information.
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 7 of 10

figure 10: nss3.dll for parsing sqlite db of browser
after parsing all the sensitive information, it will delete all those dll's to erase its footprints in the machine.
figure 11: delete foot prints
it also has a function where it enumerate the outlook signature and look for "Password entry".
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 8 of 10

Then it it will send a post command to its C&C server that contains the zip of all logs it parsed in the infected
machine.
Conclusion:  
This malware really show some interesting stuff how to grab some sensitive information within a windows
system where it taking advantage several data keeps by browser, bitcoin wallet and many more.
IOC :
Sha1: 29818d101ebd8216bcaf627b4a5a0bcb753343ad
Sha256: 076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c
YARA :
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 9 of 10

import "pe"
rule vidar_win32_unpack {
    meta:
        author =  "tcontre"
        description = "detecting vidar unpack malware"
        date =  "2019-03-11"
        sha256 = "076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c"
      strings:
        $mz = { 4d 5a }
              $s1 = "SELECT host, name, value FROM moz_cookies" fullword     
        $s2 = "Vidar Version:" fullword
        $s3 = "card_number_encrypted FROM credit_cards" fullword
        $c0 = "softokn3.dll" fullword
        $c1 = "nss3.dll" fullword
        $c2 = "mozglue.dll" fullword
        $c3 = "freebl3.dll" fullword
        $code1 = { C6 45 FC 30 E8 ?? ?? ?? ?? 83 78 14 08 C6 45 FC 31 72 02 }
                   condition:
        ($mz at 0) and all of ($s*) and 2 of ($c*) and all of ($code*)
          }
Source: https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
Page 10 of 10