{
	"id": "0fb2f3ef-7bf1-4020-bde0-e5b894a040df",
	"created_at": "2026-04-06T00:10:35.387668Z",
	"updated_at": "2026-04-10T03:21:21.988268Z",
	"deleted_at": null,
	"sha1_hash": "42701e0a901c6ad514f1fec00be5343261d9d0ff",
	"title": "Vidar Stealer H\u0026M Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1154961,
	"plain_text": "Vidar Stealer H\u0026M Campaign\r\nBy 0xToxin\r\nPublished: 2023-02-20 · Archived: 2026-04-05 16:27:08 UTC\r\nIntroPermalink\r\nIn this blog I’ll be covering a recent phishing campaign that was targeting content creators while impersonating to\r\na brand offering a collaboration offer to those creators.\r\nThe PhishPermalink\r\nThe email that the user receives includes a short explanation that the company wants to be his partner, they\r\nexplain to him when and for how long to put the promo video and of course how much money he will receive as a\r\npayment.\r\nAt the bottom of the email the user will find a link to the promotion materials and his personal password:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 1 of 26\n\nThe promotion materials link leads to Google Drive, there the User will need to download an archive with the\r\nname of: H\u0026M Corporation Advertising Contract.zip\r\nThe archive contains inside of it several decoy files that are associated with H\u0026M, and a 600MB .scr file with the\r\nname: H\u0026M Advertising contract and Payment information.pdf.scr\r\n.NET LoaderPermalink\r\nOpening the loader in DiE,we can see that the loader is 32bit .NET assembly protected with Smart Assembly :\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 2 of 26\n\nI’ve opened the loader in DnSpy to further analyze it. The first thing I see is the confirmation that the loader is\r\nprotected with Smart Assembly , I can see the PoweredBy section in the static information fields:\r\nLooking at the entry point we can understand that working with the loader in this state won’t be efficient:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 3 of 26\n\nI will be using SAE (Simple Assembly Explorer) in order to deobfuscate the code, we can use the deobfuscator\r\nfeature in SAE:\r\nI’m using the default settings as it’s fits my needs:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 4 of 26\n\nOpening the deoubfuscated output file in Dnspy, we can now see a clearer code:\r\nThere are several interesting actions that happens in the loader:\r\n1. c000009 instance creation with internal field that will contain a path to the injected process.\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 5 of 26\n\n1. The instance then will be passed to the method c000066.m000022 . this method will have several things in\r\nit, the first one being a call to the method: c000066.m00007b , passing the string: fInckSommmenn twice.\r\n2. The method c000066.m00007b will simply fetch resource content from the binary resources:\r\n1. Then a call to the method c000066.m000019 will be invoked passing the extracted resource content, the\r\nstring: fInckSommmenn and the instance of c000009\r\n2. This method will be in charge of decrypting the payload with some Xor routine and it will return the\r\ndecrypted binary.\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 6 of 26\n\n1. After the decryption was done the decrypted binary will be passed alongside with the full path to the\r\ninjected process to c000066.m00002a method which will do a process injection to the desired process with\r\nthe decrypted binary content.\r\nI’ve created a powershell script that extract the decrypted binary by invoking the necessery methods:\r\n# Load the file.\r\n$assembly = [System.Reflection.Assembly]::LoadFile(\"C:\\Users\\igal\\Desktop\\loader.exe\")\r\n#Initialize \"NS005.c000009\" object.\r\n$ini = [Activator]::CreateInstance($assembly.Modules[0].GetType(\"NS005.c000009\"),@())\r\n#Retrieve the resource fetching method and invoke it.\r\n$classType2 = $assembly.GetType(\"NS004.c000066\")\r\n$array = $classType2.GetMethod(\"m00007b\").Invoke($null,@(\"fInckSommmenn\", \"fInckSommmenn\"))\r\n#Invoke the decryption method with the necessary arguments.\r\n$fixedArray = $classType2.GetMethod(\"m000019\").Invoke($null,@($array, \"fInckSommmenn\", $ini))\r\n#Write the output to a file.\r\n[io.file]::WriteAllBytes('C:\\Users\\igal\\Desktop\\payload.bin',$fixedArray)\r\nVidar PayloadPermalink\r\nIn this part of the blog I will be going through some of the Vidar stealer capabilities, evasion techniques and some\r\nanti analysis tricks. Opening the payload in DiE we can see that it’s a 32bit C/C++ binary:\r\nAnti-Analysis NightmarePermalink\r\nI’ve opened the payload in IDA and the first thing that happend is that WinMain was not recognized as a function\r\nand rather as instruction:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 7 of 26\n\nI’ve tried to convert it to function by pressing P but this wasn’t helpful, so I’ve scrolled a bit down and found out\r\na chunk of data that wasn’t convered as supposed:\r\nThen I pressed C to convert that data to code and now that we have instructions instead of data I’ve marked all\r\nthe instruction from the beginning of WinMain until the relevent mov - pop - return instructions that marks\r\nthe end of a function (in my case the instructions range was 0x4156B0 - 0x415891 )\r\nNow I start to work with the decompiler view, I’ve noticed that the decompilation process is a bit broken:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 8 of 26\n\nOne thing that was done here to confuse the decompiler is Opaque Predicate.\r\n“Opaque predicate is a term used in programming to refer to decision making where there is only one possible\r\noutcome. This can be achieved through the use of complex or hard-to-understand logic, such as calculating a\r\nvalue that will always return True. Opaque predicates are often used as anti-disassembling techniques, as they\r\ncan make it difficult for an analyst to understand the code and determine its intent. By using opaque predicates,\r\nmalware authors can make their code more difficult to reverse engineer, which can help to evade detection and\r\nanalysis.” (Unprotect Project definition)\r\nWe can use @_n1ghtw0lf script for it:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 9 of 26\n\nimport idc\r\nea = 0\r\nwhile True:\r\n ea = min(idc.find_binary(ea, idc.SEARCH_NEXT | idc.SEARCH_DOWN, \"74 ? 75 ?\"), # JZ / JNZ\r\n idc.find_binary(ea, idc.SEARCH_NEXT | idc.SEARCH_DOWN, \"75 ? 74 ?\")) # JNZ / JZ\r\n if ea == idc.BADADDR:\r\n break\r\n idc.patch_byte(ea, 0xEB) # JMP\r\n idc.patch_byte(ea+2, 0x90) # NOP\r\n idc.patch_byte(ea+3, 0x90) # NOP\r\nAfter running the script the Decomplier looks a bit better:\r\nBut there is still some code missing because we can see a JUMPOUT instruction, looking at the referenced\r\naddress in the instruction, we can see that the instruction is:\r\nclearly that’s wrong and nothing to do with the actual code (and this is caused because the convertation of all the\r\ndata to code), it can be repaired by simply undefining the instruction. But after that we still can see a unclear\r\njumpout:\r\nagain same strange mov instrcution to eax:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 10 of 26\n\nit can be fixed by the same approach as before.\r\nAfter clearing the code we have a “clear” function:\r\nThe Author added a lot of junk calls to the code to make our life a bit harder but we can just ignore them and\r\nfollow the function calls.\r\nSelf Termination TriggersPermalink\r\nThis Vidar payload has several triggers that can occur and lead to self termination of the payload.\r\nThe first one being usage of VirtualAllocExNuma which is a way for the payload to understand whether\r\nhe runs on a system with one or more physical CPU:\r\nThe second check the payload does is checking the physical memory of the computer (whether it’s above\r\n769MB or not) if it’s less then the defined size the payload will terminate:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 11 of 26\n\nThe last check will occur after the strings and api resolving functions(which will be covered in a moment),\r\nit will retrieve the computer name and compare it to HAL9TH , it will also retrieve the user name and\r\ncompare it to JohnDoe . if one of the retrieved values matches one of the strings the payload will terminate\r\nitself:\r\nStrings DecryptionPermalink\r\nAs most variants of Vidar, the strings are simply xor’ed. The function receives 3 parameters:\r\n1. Length\r\n2. Xor key\r\n3. Encrypted string\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 12 of 26\n\nI’ve used the script written by @eln0ty and modified it abit to fit my needs:\r\nimport idc\r\nSTART = 0x401190\r\nEND = 0x40134D\r\nTEMP = 0x0\r\nFLAG = True\r\n'''\r\n[0] = Encrypted String.\r\n[1] = Xor Key.\r\n[2] = Length.\r\n'''\r\nVALUES = []\r\nea = START\r\n# XOR decryption helper function.\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 13 of 26\n\ndef xorDecrypt(encString, xorKey, keyLen):\r\n decoded = []\r\n for i in range(0,len(encString)):\r\n decoded.append(encString[i] ^ xorKey[i % keyLen])\r\n return bytes(decoded)\r\nwhile ea \u003c= END:\r\n # get argument values\r\n if idc.get_operand_type(ea, 0) == idc.o_imm:\r\n VALUES.append(idc.get_operand_value(ea, 0))\r\n \r\n if len(VALUES) == 2:\r\n if idc.get_operand_type(ea, 0) == idc.o_reg:\r\n VALUES.append(idc.get_operand_value(ea, 1))\r\n \r\n if idc.print_insn_mnem(ea) == \"call\":\r\n length = VALUES[2]\r\n data = idc.get_bytes(VALUES[0], length)\r\n key = idc.get_bytes(VALUES[1], length)\r\n VALUES = []\r\n TEMP = ea\r\n while FLAG:\r\n ea = idc.next_head(ea, END)\r\n if (idc.print_insn_mnem(ea) == \"mov\") and (idc.get_operand_type(ea, 0) == idc.o_mem) and (idc.get_op\r\n dec = xorDecrypt(data, key, length).decode('ISO-8859-1')\r\n print(f'current location:{hex(ea)}, value will be: {dec}')\r\n dwordVar = idc.get_operand_value(ea, 0)\r\n idc.set_cmt(ea, dec, 1)\r\n idc.set_name(dwordVar, \"STR_\" + dec, SN_NOWARN)\r\n FLAG = False\r\n ea = TEMP\r\n break\r\n # move to next instruction\r\n FLAG = True\r\n ea = idc.next_head(ea, END)\r\nquick note: some of the names wont be assigned properly due to IDA syntax, so I’ve added the plain string as\r\ncomment in the dissembler. For example:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 14 of 26\n\nDecoded strings output:\r\nDynamic API Resolving:Permalink\r\nVidar will user LoadLibraryA and GetProcAddress to resolve the necessery API’s alongside with the strings it\r\ndecrypted:\r\nOnce again I used the script written by @eln0ty to replace the name of the variables for easier analysis:\r\nimport idc\r\nstart = 0x420874\r\nend = 0x420901\r\nea = start\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 15 of 26\n\napi_names = []\r\nwhile ea \u003c= end:\r\n # get GetProcAddress API name\r\n if (idc.print_insn_mnem(ea) == \"mov\") and (idc.get_operand_type(ea, 0) == idc.o_reg) and (idc.get_operand_ty\r\n addr = idc.get_operand_value(ea, 1)\r\n name = idc.get_name(addr)\r\n if name.startswith(\"STR_\"):\r\n api_names.append(name)\r\n # assign GetProcAddress result to global var\r\n if (idc.print_insn_mnem(ea) == \"mov\") and (idc.get_operand_type(ea, 0) == idc.o_mem) and (idc.print_operand(\r\n addr = idc.get_operand_value(ea, 0)\r\n name = api_names.pop(0)\r\n idc.set_name(addr, \"API_\" + name[4:])\r\n # move to next instruction\r\n ea = idc.next_head(ea, end)\r\nC2 Communication - Init CommunicationPermalink\r\nIn order to harvest all the data Vidar looking for, Vidar will need to utilize some DLL’s which it will fetch from a\r\nC2 server, below is a short explanation of the DLL’s Vidar will retrieve from the C2:\r\nDLL Name Description\r\nfreebl3.dll Network Security Services (NSS) from Mozilla Foundation\r\nmozglue.dll Memory management for Mozilla applications\r\nmsvcp140.dll Microsoft Visual C++ library for C++ programming\r\nnss3.dll Network security services for SSL/TLS encryption\r\nsoftokn3.dll Cryptographic library for key management and encryption/decryption\r\nsqlite3.dll Accessing and managing SQLite databases\r\nvcruntime140.dll Microsoft Visual C++ library for memory management and I/O\r\nIn my case the Vidar C2 was hosted on 2 different sites:\r\nTelegram:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 16 of 26\n\nSteam:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 17 of 26\n\nAnd in case both of them are down, a plain C2 is presented as a backup:\r\nAfter retrieving the C2 Vidar will send a POST request to the URI:\r\nIn my case the bot id is: 907 which is also assigned a plain string:\r\nAfter that first request was made the client will receive a response from the server that looks like that:\r\n1,1,1,1,1,b36abae611984b4404a903d57724b39e,1,1,1,1,0,123;%DOCUMENTS%\\;*.txt;50;true;movies:music:mp3:exe;\r\nEach operation is splitted with ; delimiter\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 18 of 26\n\nC2 Communication - Operations ConfigurationPermalink\r\nAs mentioned, each operation is splitted by ; delimiter. First Section:\r\n1,1,1,1,1,b36abae611984b4404a903d57724b39e,1,1,1,1,0,123\r\nMost of those values are flags that says what data should be harvested: |Index|Flag|Description| | — | — | — |\r\n|1|1|Local Passwords| |2|1|Cookies| |3|1|Crypto Wallets| |4|1|Browser History| |5|1|Telegram Data|\r\n|6|b36abae611984b4404a903d57724b39e|Exfil Token| |7|1|Steam Data| |8|1|Discord Data| |9|1|Screenshot|\r\n|10|1|Possible Grabber| |11|0|File Size Limit| |12|123|Profile ID|\r\nSecond Section:\r\nThe grabber activity folder.\r\nThird Section:\r\nFiles extensions the grabber will harvest.\r\nFourth Section:\r\nFile size limit in KB.\r\nFifth Section:\r\nRecursive harvesting.\r\nSixth Section:\r\nExcluded file extensions.\r\nAdditionally Vidar will create a profile for the user by harvesting the OS info, RAM, CPU, active processes etc…\r\nand will send out infromation.txt alongside with the harvested data:\r\nVersion: 2.4\r\nDate: 12/2/2023 11:15:46\r\nMachineID: 4cfb5922-b036-4c14-9ed1-03c0dad19fbd\r\nGUID: {d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\r\nHWID: 12ac9eab3d083674480464-4cfb5922-b036-4c14-9ed1-a0e3-806e6f6e6963\r\nPath: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe\r\nWork Dir: In memory\r\nWindows: Windows 10 Pro [x64]\r\nInstall date: 8/12/2021 0:18:31\r\nAV: Unknown\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 19 of 26\n\nComputer Name: IYMUGYHL\r\nUser Name: Admin\r\nDisplay Resolution: 1280x720\r\nDisplay Language: en-US\r\nKeyboard Languages: English (United States)\r\nLocal Time: 12/2/2023 11:15:47\r\nTimeZone: UTC-0\r\n[Hardware]\r\nProcessor: Intel Core Processor (Broadwell)\r\nCores: 2\r\nThreads: 2\r\nRAM: 4095 MB\r\nVideoCard: Microsoft Basic Display Adapter\r\n[Processes]\r\n- System [4]\r\n- Registry [92]\r\n- smss.exe [348]\r\n- csrss.exe [436]\r\n- wininit.exe [512]\r\n- csrss.exe [520]\r\n- winlogon.exe [604]\r\n- services.exe [644]\r\n- lsass.exe [656]\r\n- fontdrvhost.exe [764]\r\n- fontdrvhost.exe [772]\r\n- svchost.exe [780]\r\n- svchost.exe [884]\r\n- svchost.exe [932]\r\n- dwm.exe [1016]\r\n- svchost.exe [60]\r\n- svchost.exe [720]\r\n- svchost.exe [640]\r\n- svchost.exe [1044]\r\n- svchost.exe [1052]\r\n- svchost.exe [1140]\r\n- svchost.exe [1192]\r\n- svchost.exe [1208]\r\n- svchost.exe [1232]\r\n- svchost.exe [1316]\r\n- svchost.exe [1384]\r\n- svchost.exe [1432]\r\n- svchost.exe [1452]\r\n- svchost.exe [1504]\r\n- svchost.exe [1572]\r\n- svchost.exe [1604]\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 20 of 26\n\n- svchost.exe [1616]\r\n- svchost.exe [1712]\r\n- svchost.exe [1740]\r\n- svchost.exe [1840]\r\n- svchost.exe [1876]\r\n- svchost.exe [1900]\r\n- svchost.exe [1952]\r\n- svchost.exe [1968]\r\n- spoolsv.exe [1296]\r\n- svchost.exe [1944]\r\n- svchost.exe [2064]\r\n- svchost.exe [2100]\r\n- sihost.exe [2288]\r\n- svchost.exe [2296]\r\n- taskhostw.exe [2436]\r\n- svchost.exe [2488]\r\n- svchost.exe [2496]\r\n- OfficeClickToRun.exe [2552]\r\n- svchost.exe [2560]\r\n- svchost.exe [2616]\r\n- svchost.exe [2656]\r\n- svchost.exe [2668]\r\n- svchost.exe [2676]\r\n- svchost.exe [2976]\r\n- explorer.exe [3048]\r\n- svchost.exe [2832]\r\n- dllhost.exe [3248]\r\n- StartMenuExperienceHost.exe [3356]\r\n- RuntimeBroker.exe [3416]\r\n- dllhost.exe [3456]\r\n- SearchApp.exe [3568]\r\n- RuntimeBroker.exe [3688]\r\n- RuntimeBroker.exe [4652]\r\n- svchost.exe [4340]\r\n- svchost.exe [1892]\r\n- svchost.exe [3392]\r\n- svchost.exe [4424]\r\n- svchost.exe [4680]\r\n- sppsvc.exe [1096]\r\n- svchost.exe [1260]\r\n- svchost.exe [2544]\r\n- WmiPrvSE.exe [1348]\r\n- SppExtComObj.Exe [2532]\r\n- svchost.exe [2596]\r\n- svchost.exe [3020]\r\n- upfc.exe [4400]\r\n- svchost.exe [1632]\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 21 of 26\n\n- H\u0026M Advertising contract and Payment information.pdf.scr [4396]\r\n- vbc.exe [1684]\r\n[Software]\r\nGoogle Chrome [89.0.4389.114]\r\nMicrosoft Edge [92.0.902.67]\r\nMicrosoft Edge Update [1.3.167.21]\r\nMicrosoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 [11.0.61030.0]\r\nJava Auto Updater [2.8.66.17]\r\nMicrosoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 [14.30.30704.0]\r\nMicrosoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 [14.30.30704.0]\r\nMicrosoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 [12.0.40660.0]\r\nMicrosoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 [12.0.40660]\r\nMicrosoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 [9.0.30729.6161]\r\nAdobe Acrobat Reader DC [19.010.20069]\r\nMicrosoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 [11.0.61030]\r\nMicrosoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 [11.0.61030]\r\nMicrosoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 [14.30.30704]\r\nMicrosoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 [11.0.61030.0]\r\nMicrosoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 [12.0.40660]\r\nMicrosoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 [12.0.40660.0]\r\nMicrosoft Visual C++ 2010 x86 Redistributable - 10.0.40219 [10.0.40219]\r\nMicrosoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 [14.30.30704]\r\nC2 Communication - Data ExfiltrationPermalink\r\nAfter harvesting all the data Vidar will compress all harvested data to as a zip encode it to base64 and send it out\r\nalongside with some more data in the next format:\r\n------{random_generated_delimiter}\r\nContent-Disposition: form-data; name=\"profile\"\r\n{BOT_ID}\r\n------{random_generated_delimiter}\r\nContent-Disposition: form-data; name=\"profile_id\"\r\n{PERSONAL_ID}\r\n------{random_generated_delimiter}\r\nContent-Disposition: form-data; name=\"hwid\"\r\n{COMPUTER_HWID}\r\n------{random_generated_delimiter}\r\nContent-Disposition: form-data; name=\"token\"\r\n{EXFIL_TOKEN}\r\n------{random_generated_delimiter}\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 22 of 26\n\nContent-Disposition: form-data; name=\"file\"\r\n{BASE64_ENCODED_ARCHIVE}\r\nPost Exfiltration Self TerminationPermalink\r\nAfter Vidar exfiltrated the data it will create a self termination task using cmd command and by this will end the\r\nexecution of itself:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 23 of 26\n\n\"C:\\Windows\\System32\\cmd.exe\" /c timeout /t 6 \u0026 del /f /q Vidar.exe \u0026 exit\r\nSummaryPermalink\r\nVidar is a well known stealer that was active for the past years and keeps on constantly updated by its developers.\r\nIn this blog we’ve covered most Vidars functions and how it was delivered to it’s victims.\r\nQuick note that it’s my first “In Depth” writeup for a malware so any feedback would be appreciated, you can\r\nalways PM me on twitter (0xToxin)\r\nYara RulePermalink\r\nThe rule is updated up to version 2.4 which was recently revamped from version 5X.X (more info can be found\r\nhere)\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 24 of 26\n\nrule win_Vidar\r\n{\r\nmeta:\r\n author = \"0xToxin\"\r\n description = \"Vidar stealer strings and functions\"\r\n Date = \"20-02-2022\"\r\nstrings:\r\n$dll1 = \"vcruntime140.dll\" ascii wide\r\n$dll2 = \"softokn3.dll\" ascii wide\r\n$dll3 = \"nss3.dll\" ascii wide\r\n$dll4 = \"msvcp140.dll\" ascii wide\r\n$dll5 = \"mozglue.dll\" ascii wide\r\n$dll6 = \"freebl3.dll\" ascii wide\r\n$dll7 = \"sqlite3.dll\" ascii wide\r\n$c2Fetch1 = \"t.me\" ascii wide\r\n$c2Fetch2 = \"steamcommunity.com\" ascii wide\r\n$stringDec = {\r\n68 ?? ?? ?? 00\r\n68 ?? ?? ?? 00\r\nB9 ?? ?? 00 00\r\nE8 ?? ?? ?? ??\r\n68 ?? ?? ?? 00\r\n68 ?? ?? ?? 00\r\nB9 ?? ?? 00 00\r\nA3 ?? ?? ?? ??\r\n}\r\ncondition:\r\nuint16(0) == 0x5a4d and 3 of ($dll*) and 1 of ($c2Fetch*) and #stringDec \u003e= 15\r\n}\r\nYou can see also the Yara Hunt result on UnpackMe.\r\nIOC’sPermalink\r\nSamples:\r\nH\u0026M Corporation Advertising Contract.zip -\r\n4d9697358936b516ecd2dd96687649fc1a8b1e8fd4529961dfa49513c85b42c5\r\nH\u0026M Advertising contract and Payment information.pdf.scr -\r\n203b08962eba219761690043281f81fc2d6e1fa26702bfa4ad30d9849b267309\r\nvidar.bin - dd15f493fc13d00bb1abc0ac20bb0f7dc44632e71b4fcde1c2889fc34dff6c14\r\nFetching URL’s:\r\nhttps://steamcommunity.com/profiles/76561199476091435\r\nhttps://t.me/gurutist\r\nC2’s:\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 25 of 26\n\n195.201.44.125\r\n23.88.36.149:80\r\n95.216.164.28:80\r\nReferencesPermalink\r\neln0ty Vidar Analysis\r\nn1ghtw0lf Emotet Analysis\r\ncocomelonc VirtualAllocExNuma AV evasion\r\nSource: https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nhttps://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/"
	],
	"report_names": [
		"Vidar-Stealer-Campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434235,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/42701e0a901c6ad514f1fec00be5343261d9d0ff.pdf",
		"text": "https://archive.orkl.eu/42701e0a901c6ad514f1fec00be5343261d9d0ff.txt",
		"img": "https://archive.orkl.eu/42701e0a901c6ad514f1fec00be5343261d9d0ff.jpg"
	}
}