{ "id": "72954321-5a3b-4b02-8cb3-3388428ea1ab", "created_at": "2026-04-06T01:30:32.161201Z", "updated_at": "2026-04-10T13:12:36.94103Z", "deleted_at": null, "sha1_hash": "64b8a51148ebdceccfa19cb7751f79f977325790", "title": "Vidar - payload inspection with static analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2837577, "plain_text": "Vidar - payload inspection with static analysis\r\nBy map[name:Alessandro Strino]\r\nPublished: 2023-10-25 · Archived: 2026-04-06 00:21:52 UTC\r\nBehind this post\r\nThrough this blogpost I’m going to talk about one of the latest Vidar samples that I had a chance to analyze. The\r\npayload is actually part of a campaign delivered in July 2023 using PEC mails and this analysis comes from a post\r\nrelated to Cert-Agid in the same period. Even if the payload seems to be out of time, it’s still a valid example for\r\nfurther analysis of more recents ones.\r\nThe purpose of this article is to give an overview of Vidar, helping people that are tracking this threat to properly\r\ndeal with it. Moreover, it is also an excuse to tweak a little bit with IDA to show a possible solution related to\r\ncommon issues when we are dealing with highly obfuscated malware.\r\nStatic Analysis\r\nOpening up the Vidar sample with IDA, it’s immediately clear that it contains few obfuscated strings and garbage\r\ncode that prevents analysts from directly examining the sample. More precisely, it has been possible to discover\r\nthree functions, analyzed in this blogpost, that are in charge of:\r\nDetecting VMs execution;\r\nDetecting “default settings”;\r\nDecrypting Strings.\r\nFigure 1 - Vidar main function with garbage code\r\nAnti-Analysis implementation\r\nIn this sample, there are three main functions that are in charge of performing anti-analysis checks.\r\nhttps://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nPage 1 of 9\n\nThe first one is implemented through the function VirtualAllocExNuma that checks if the sample is running on a\r\nsystem with one or more physical CPU:\r\nFigure 2 - Call to VirtualAllocExNuma for physical CPU controls.\r\nAnother techniques that prevent payload execution is related to the number of processors available on the\r\nmachine that are required to be at least 2:\r\nFigure 3 - Call to GetSystemInfo for Processors’s checks\r\nThe last checks that have been identified are related to the Username and Computer Name that is currently used.\r\nIn particular there are two matches that verify if the username corresponds to John Doe and then the\r\nComputerName is equal to HAL9TH.\r\nIt turns out that Microsoft Defender’s Sandbox computername is HAL9TH, so, you can check for the\r\ncomputer name in your malware before detonation, if the name matches HAL9TH, it means you’re\r\ninside defender’s sandbox, so you can make your program exit.\r\nhttps://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nPage 2 of 9\n\nFigure 4 - Checking for “specific settings”\r\nIf one of those checks fails, the payload will call the function ExitProcess(0) terminating its execution.\r\nDecryption routine\r\nAs already mentioned, Vidar payload contains few encrypted strings to slow down the analysis and probably to\r\nevade few monitoring solutions. Because of that, there is a function that is in charge to retrieve the plaintext\r\nassociated with each encrypted string.\r\nFigure 5 - Encrypted Strings\r\nThe function it’s fairly easy to spot especially observing the number of times it will be called and its signature\r\n(that recall a quite simple decryption procedure):\r\ndecryption_routine(encrypted_string , key , length)\r\nAs expected the decryption routine it’s not so hard to understand, in fact it iterates over the key length and\r\nperforms an XOR operation between the encrypted_string and key parameters.\r\nhttps://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nPage 3 of 9\n\nFigure 6 - Decryption routine\r\nFigure 7 - String decrypted\r\nIt’s worth noting that IDA has few limitations, in fact sometimes it does not perform the proper variable renaming\r\nand due to the obfuscation implemented few instructions could be misinterpreted. Because of that an effective\r\nmethod to keep track of decrypted variables is to locate their offset and append a comment.\r\nIn that case, we should have a nice reference that could be used later on, to rename the variable accordingly.\r\nKeeping that in mind, it’s possible to speed up our analysis by writing an IDA-python script that takes care of\r\nthose strings.\r\nFixing Functions\r\nAs mentioned above, IDA sometimes could be confused by obfuscation that could lead to mis-interpret\r\ninstructions or inhibit its ability to recognize a function. In fact, at the end of main there is a jump to a location\r\nthat is not currently interpreted as a function. However, looking at strings and references to that text section there\r\nis clearly an error from the IDA interpreter.\r\nhttps://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nPage 4 of 9\n\nFigure 8 - Mis-intepreted function\r\nTo fix that, it’s possible to select the block of code and force IDA to treat that as a function. However, this practice\r\nit’s not always painless. In fact, it’s still possible that we could get some issues from IDA that are not capable of\r\ninterpreting all code correctly. An example is given from the figure below, where we have strings related to\r\nJUMPOUT and MEMORY.\r\nFigure 9 - Function interpreted as data\r\nThis issue could be solved easily by fixing the byte related to the JUMPOUT instruction, however, in order to\r\navoid losing focus on our main tasks, this issue will probably be discussed in a dedicated thread.\r\nNevertheless, we have now all pieces to complete our static analysis and go deep in all malicious activities related\r\nto this malware.\r\nAdditional Analysis\r\nString decryption was an effective method to extract IOCs from this Vidar sample. Examinig those strings we\r\ncould see that, as expected, it works as an InfoStealer querying browser information (credentials on local storage)\r\nand multiple installed programs. At the time of writing, it supports most of the main used browsers, such as:\r\nChrome, Firefox, Opera, Tor, etc.\r\nAnother interesting feature is related to the chrome extension checks feature, that aims to verify if specific\r\nextensions are actually installed. Mainly monitored extensions are related to crypto wallets and password\r\nhttps://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nPage 5 of 9\n\nmanagers.\r\nFigure 10 - Monitored chrome extensions\r\nNetwork Communication\r\nAccording to the examined functions related to the network communication, it is possible to recreate the POST\r\nrequest structure that could be monitored and used as an indicator of compromise of this actor:\r\nContent Disposition: form-data; name=\u003cVidar_parameter\u003e\r\nIt’s worth mentioning that parameters observed are:\r\nID for BOT identification;\r\nHWID that uniquely identifies a machine (used for monitoring multiple infection from the same machine,\r\nindicating an analyzing attempts from researcher);\r\nToken: Exfiltrated token available on the victim’ machine;\r\nFile: An archive of all information gathered from the victim’s machine.\r\nFigure 11 - POST request structure\r\nReferences\r\nSample:\r\nhttps://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nPage 6 of 9\n\n556f8b06b92ddbc4008dea5298eab3934c61647a1cd7333a9087c37cc5a75456 (SHA256)MalwareBazaar\r\nIda-python scrypt:\r\nida_vidar_string_decrypt.py Microsoft Defender’s Sandbox:\r\nBlackHat 2018 detailed analysis\r\nIOCs\r\nNetwork indicators\r\nhttps://t.]me/game4serv\r\nhttps://steamcommunity.]com/profiles/76561199523054520\r\nhttp://bigsnowstone.]com/\r\nTargets\r\nBrowsers\r\nBrowser Extensions -\r\nWallets\r\nAuthenticator/Password\r\nManager\r\nDesktop\r\nPrograms\r\nMozilla Firefox TronLink Authenticator LevelDB\r\nPale Moon Meta Authy Thunderbird\r\nGoogle Chrome BinanceChainWallet EOS Authenticator Telegram\r\nChromium Yoroi GAuth Authenticator WinSCP\r\nAmigo NiftyWallet IndexedDB\r\nTorch MathWallet Steam\r\nComodo Dragon Coinbase Jaxx_Desktop\r\nEpic Privacy\r\nBrowser\r\nGuarda Binance Desktop\r\nVivaldi EQUALWallet Bitcoin Core\r\nCocCoc JaxxLiberty Bitcoin Core Old\r\nCent Browser BitAppWallet Raven Core\r\nTorBro Browser iWallet Ledger Live\r\nChedot Browser Wombat Blockstream\r\nBrave_Old MewCx\r\n7Star GuildWallet\r\nhttps://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nPage 7 of 9\n\nBrowsers\r\nBrowser Extensions -\r\nWallets\r\nAuthenticator/Password\r\nManager\r\nDesktop\r\nPrograms\r\nMicrosoft Edge RoninWallet\r\n360 Browser NeoLine\r\nQQBrowser CloverWallet\r\nOpera LiqualityWallet\r\nOperaGX Terra_Station\r\nCryptoTab\r\nBrowser\r\nKeplr\r\nBrave Sollet\r\nAuroWallet\r\nPolymeshWallet\r\nICONex\r\nHarmony\r\nEVER Wallet\r\nKardiaChain\r\nTrezor Password\r\nManager\r\nRabby\r\nPhantom\r\nBraveWallet\r\nPaliWallet\r\nBoltX\r\nXdefi\r\nNami\r\nMaiarDeFiWallet\r\nWavesKeeper\r\nSolflare\r\nhttps://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nPage 8 of 9\n\nBrowsers\r\nBrowser Extensions -\r\nWallets\r\nAuthenticator/Password\r\nManager\r\nDesktop\r\nPrograms\r\nCyanoWallet\r\nKHC\r\nTezBox\r\nTemple\r\nGoby\r\nRoninWalletEdge\r\nWasabi Wallet\r\nDaedalus Mainnet\r\nSource: https://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nhttps://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/" ], "report_names": [ "vidar-payload-inspection-with-static-analysis" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439032, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64b8a51148ebdceccfa19cb7751f79f977325790.pdf", "text": "https://archive.orkl.eu/64b8a51148ebdceccfa19cb7751f79f977325790.txt", "img": "https://archive.orkl.eu/64b8a51148ebdceccfa19cb7751f79f977325790.jpg" } }