{ "id": "dcde736a-96f0-4414-b771-1b3f6a661e8c", "created_at": "2026-04-06T00:09:35.24525Z", "updated_at": "2026-04-10T03:36:48.452709Z", "deleted_at": null, "sha1_hash": "91381e6c55aff079f406b2887bcc43e247a1d119", "title": "Deep Analysis of Vidar Information Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2589775, "plain_text": "Deep Analysis of Vidar Information Stealer\r\nBy Abdallah Elnoty\r\nPublished: 2022-02-06 · Archived: 2026-04-05 15:24:20 UTC\r\nVidar (forked from Arkei info stealer) is very popular info stealer written in C++.\r\nWhat does it steal?\r\nThe malware has all the kinds of classic features of stealers:\r\nStealing browser Data (auto-fill, history, cookies - credit cards)\r\nStealing Crypto mining wallets\r\nStealing data from 2FA software like Authy\r\nSearching for specific documents\r\nTelegram notifications\r\nScreenshot\r\nGet a complete snapshot of all information of the computer victim\r\nVidar’s clients have access to a C2 Shop portal where they are able to generate their own payloads. So there is no\r\nmanagement on their side. For this in-depth analysis, I will inspect the 49.7 version of Vidar.\r\nBefore starting, I want to thank my friend @_ n1ghtw0lf because he helped me a lot to write this report.. Let’s\r\nstart ^_^\r\nVidar overviewPermalink\r\nSHA256: 532BC078A68683CE70CB765191A128FADEE2A23180B1A8E8A16B72F1A8EE291A\r\nI will give a brief overview of how Vidar operates then I will go into details in the upcoming sections.\r\nThis is the basic config from Hatching sandbox.\r\nVidar collects All important data from victim’s device then Uploads them to C2 server and delete these files from\r\nthe device with taskkill.exe\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 1 of 22\n\nThe collection will be something like that (I got it from sandbox so I lost some data because sandbox doesn’t\r\ncontain everything)\r\ncompress them in .zip file to be ready for uploading.\r\nYou can watch this video which describes the operation from server side.\r\nSample Preparation (strings \u0026 dlls)Permalink\r\nI faced some problems in my sample, all strings are encrypted and dlls are dynamic allocated.\r\nVidar tries to decrypt it with the first function before starting any process.\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 2 of 22\n\nDecrypt stringsPermalink\r\nThe encryption algorithm is pretty easy and straight forward. We just do text = xor(key, cipher) for every\r\nencrypted text by automating it with IDAPython.\r\nThis is the script for the mission. “Every section of the code has a comment to make it readable for you”\r\nimport idc\r\ndef dec_str(key, data, length):\r\n res = bytearray()\r\n for i in range(length):\r\n res.append(key[i] ^ data[i])\r\n return res.decode()\r\nstart = 0x401301\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 3 of 22\n\nend = 0x4031E5\r\nea = start\r\naddrs = []\r\ndec = ''\r\nkey = b''\r\ndata = b''\r\nlength = 0\r\nwhile ea \u003c= end:\r\n # check if opperand is immediate\r\n if idc.get_operand_type(ea, 0) == idc.o_imm:\r\n addrs.append((idc.get_operand_value(ea, 0)))\r\n # get key, data, length\r\n if len(addrs) == 3:\r\n length = addrs[0]\r\n data = idc.get_bytes(addrs[1], length)\r\n key = idc.get_bytes(addrs[2], length)\r\n addrs = []\r\n # comment decrypted string\r\n if idc.print_insn_mnem(ea) == \"call\":\r\n dec = dec_str(key, data, length)\r\n idc.set_cmt(ea, dec, 1)\r\n if (idc.print_insn_mnem(ea) == \"mov\") and (idc.get_operand_type(ea, 0) == idc.o_mem) and (idc.get_operand_ty\r\n global_var = idc.get_operand_value(ea, 0)\r\n idc.set_name(global_var, \"STR_\" + dec, SN_NOWARN)\r\n # move to next instruction\r\n ea = idc.next_head(ea, end)\r\nAfter this step you must see a clear plain text. Here you are the results:\r\nExpand to see more\r\n  INSERT_KEY_HERE\r\n  JohnDoe\r\n  HAL9TH\r\n  api.faceit.com\r\n  /core/v1/nicknames/\r\n  about\r\n  Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko)\r\nVersion/6.0 Mobile/10A5376e Safari/8536.25\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 4 of 22\n\nC:/ProgramData/\r\n  .exe\r\nLet’s move to the next step…\r\nBuilding importsPermalink\r\nVidar uses LoadLibraryA \u0026 GetProcAddress to make a build imports dynamically. The following function is\r\nused for this mission.\r\nBut there are no readable APIs. So I wrote an IDAPython script to rename it. The script used the decrypted\r\nstrings and map them with the functions to get a clear overview. “you can check it with the debugger”\r\nimport idc\r\nstart = 0x49978D\r\nend = 0x499B62\r\nea = start\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 5 of 22\n\napi_names = []\r\nwhile ea \u003c= end:\r\n # get GetProcAddress API name\r\n if (idc.print_insn_mnem(ea) == \"mov\") and (idc.get_operand_type(ea, 0) == idc.o_reg) and (idc.get_operand_ty\r\n addr = idc.get_operand_value(ea, 1)\r\n name = idc.get_name(addr)\r\n if name.startswith(\"STR_\"):\r\n api_names.append(name)\r\n # assign GetProcAddress result to global var\r\n if (idc.print_insn_mnem(ea) == \"mov\") and (idc.get_operand_type(ea, 0) == idc.o_mem) and (idc.print_operand(\r\n addr = idc.get_operand_value(ea, 0)\r\n name = api_names.pop(0)\r\n idc.set_name(addr, \"API_\" + name[4:])\r\n # move to next instruction\r\n ea = idc.next_head(ea, end)\r\nNow you can look and enjoy..\r\nImported DLLsPermalink\r\nHere is a list of imported functions:\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 6 of 22\n\nExpand to see more\r\n  bcrypt.dll\r\n      BCryptCloseAlgorithmProvider\r\n      BCryptDestroyKey\r\n      BCryptOpenAlgorithmProvider\r\n      BCryptSetProperty\r\n      BCryptGenerateSymmetricKey\r\n      BCryptDecrypt\r\nThe malware has been observed, upon execution. DLL files are required during the stealing process of different\r\nkind of browsers. So it downloads them with connecting to ip: 162.55.213.180 via GET request. They are\r\ndeleted when task is done.\r\nDLL Description\r\nfreebl3.dll Freebl Library for the NSS (Mozilla Browser)\r\nmozglue.dll Mozilla Browser Library\r\nmsvcp140.dll Visual C++ Runtime 2015\r\nnss3.dll Network System Services Library (Mozilla Browser)\r\nsoftokn3.dll Mozilla Browser Library\r\nvcruntime140.dll Visual C++ Runtime 2015\r\nWell, Now our sample is ready to reverse its functionalities. Let’s Continue…\r\nC2 ServerPermalink\r\nC2 IP 162.55.213.180 (real C2)\r\nVidar has 2 profiles with different websites, every profile should have same IP list. IPs delimited with | in each\r\nlist.\r\nSo Vidar tries to grep c2 server IP from 1 of them ‘In our case just 1 IP’. you can check profile description\r\nFirst mastodon.online/@prophef1\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 7 of 22\n\nSecond koyu.space/@prophef2\r\nVidar tries to connect with C2 server with it’s hardcoded profile-id to get the right config:\r\n1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%/;/*.txt:/*.dat:/*wallet/*.*:/*2fa/*.*:/*backup/*.*:/*code/*.*:/*passw\r\nEach part have the “;” in delimiter, so let’s dig into it.\r\nHow to understand the configuration formatPermalink\r\nIn our example, this is the configuration the malware could get from the C2 :\r\nFirst partPermalink\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 8 of 22\n\n1 Saved password\r\n1 Cookies / AutoFill\r\n1 Wallet\r\n1 Internet History\r\n1 ??? – Supposed to be Skype (not implemented)/\r\n1 ??? – Supposed to be Steam (not implemented)/\r\n1 Telegram\r\n1 Screenshot\r\n1 Grabber\r\n1 ???\r\n250 Max Size (kb)\r\nDefault Name of the profile (also used for archive file into the files repository)\r\nSecond partPermalink\r\n%DESKTOP % –\u003e Selected folder repository where the grabber feature will search recursively (or not) some\r\nselected data\r\nThird partPermalink\r\n.txt:/.dat:/wallet/./:/2fa/./:/backup/./:/code/./:/password/./:/auth/./:/google/./:/utc/./:/UTC/./:/crypt/./:/key/.*\r\nFourth partPermalink\r\n50 Max Size per file (kb)\r\ntrue Collect Recursively\r\nFifth partPermalink\r\nmovies:music:mp3;\r\nThis is the exception part, the grabber will avoid those strings if it matches in the files searched recursively in the\r\nspecific wanted folder.\r\nFolder generationPermalink\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 9 of 22\n\nTo summarize all kind of possibles files/folders that will be generated for the malicious repository is in fact pretty\r\nsimple :\r\n//files \u003c- Master folder\r\n//files//Autofill \u003c- Auto-Fill files\r\n//files//CC \u003c- Credit Cards\r\n//files//Cookies \u003c- Cookies\r\n//files//Downloads \u003c- Downloaded data history from browsers\r\n//files//Files \u003c- Profile configs (Archives)\r\n//files//History \u003c- Browser histories\r\n//files//Soft \u003c- Master folder for targeted softwares\r\n//files//Soft//Authy \u003c- 2FA software\r\n//files//Telegram \u003c- Telegram messages\r\n//files//Wallets \u003c- Cryptomining Wallets\r\nGeneral list files\r\n//files/screenshot.jpg \u003c- Actual screenshot of the screen\r\n//files/passwords.txt \u003c- Passwords consolidated all at once\r\n//files//information.txt \u003c- Snapshot of the computer setup\r\n//files//outlook.txt \u003c- Outlook cardentials\r\nBrowsersPermalink\r\nfirefox\r\nwaterfall\r\nCyberfox\r\nBlackHawk\r\nIceCat\r\nOpera\r\nOperaGX\r\nChromium\r\nKometa\r\nAmigo\r\nTorch\r\norbitum\r\nNichrome\r\nMaxthon 5\r\nsputnik\r\nCocCoc\r\nUran\r\n7Star\r\nQQBrowser\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 10 of 22\n\nCryptoTab Browser\r\nBrave\r\nBrave old\r\nOf course, this list could be longer than this if there are some browsers based on chromium repository.\r\n2 Factor Authentication software (2FA)Permalink\r\nThis technique could be also another door for vulnerabilities because no system is safe and stealing it will be more\r\nand more common in the future. So with Vidar, the Authy software is targeted.\r\nMore specifically the SQLite file on the corresponding application on %APPDATA% repository.\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 11 of 22\n\nSo guys don’t fully trust a system even security system. Give your privacy all your care.\r\nMessengersPermalink\r\noutlook\r\nHere is the data that Vidar steals : extracted from sandbox machine\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 12 of 22\n\nThunderbird\r\nTelegram\r\nI won’t describe how Vidar steals them because the process (in-depth)is painful and needs another report to\r\nexplain. :)\r\nCrypto WalletsPermalink\r\nEletcrum\r\nExodus\r\nElectronCash\r\nMultiDoge\r\nJAXX\r\nAtomic\r\nBinance\r\nThis list could change if the customer added some additional files to search for specific areas on victim’s machine.\r\nInformation logPermalink\r\nto understand how this file is generated with the corresponding API call, breakpoint on these API if you want to\r\ntake your time to analyze all the step easily. Vidar steals almost all general information about victim machine and\r\nsave it in inforamtion.txt file like:\r\nDate\r\nMachine ID\r\nGUID\r\nHWID\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 13 of 22\n\nPath\r\nWork DIR\r\n)\r\nGet the name of the operating system and platform is classic because this is, in fact, a concatenation of two things.\r\nFirst, Vidar check if Windows is 32 or 64-bit, it checks itself if is running on WOW64 with the help of\r\nIsWow64Process.\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 14 of 22\n\nSecond, with RegOpenKeyExA, the value of this registry key is fetched:\r\nHKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProductName\r\nHere we can see the some pretty APIs that we decrypted before analysis. Let’s continue our analysis…\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 15 of 22\n\nWindows version Computer Name User Name Display Resolution Display Language Keyboard Languages Local\r\nTime TimeZone\r\n[Hardware] -\u003e Processor -\u003e CPU Count -\u003e RAM -\u003e VideoCard\r\n[Processes] Get a snapshot from all processes executed using CreateToolhelp32Snapshot \u0026 Process32First \u0026\r\nProcess32Next\r\nAfter, checking if it’s a parent process or a child process, Vidar will grab two value of the PROCESSENTRY32\r\nobject : th32ProcessID: PID szExeFile: The name of the PE\r\nI can’t screen all function here but you can take your time while analyzing it. Let’s continue…\r\n[Software] Get list of all installed software on the machine, the value of this registry key is fetched:\r\nHKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall\r\nThese values are retrieves of each software (DisplayName \u0026 DisplayVersion)\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 16 of 22\n\nResultPermalink\r\nYou can see into sandbox analysis, the generated information.txt and the whole process and connections.\r\nVersion: 49.7\r\nDate: Tue Feb 01 04:37:51 2022\r\nMachineID: 90059c37-1320-41a4-b58d-2b75a9850d2f\r\nGUID: {e29ac6c0-7037-11de-816d-806e6f6e6963}\r\nHWID: 90059c37-1320-41a4-b58d-816d-806e6f6e6963\r\nPath: C:/Users/admin/AppData/Local/Temp/vidar.exe\r\nWork Dir: C:/ProgramData/GI3PPKTM8AJDIRUF0RKXBSEQV\r\nWindows: Windows 7 Professional [x86]\r\nComputer Name: USER-PC\r\nUser Name: admin\r\nDisplay Resolution: 1280x720\r\nDisplay Language: en-US\r\nKeyboard Languages: English (United States)\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 17 of 22\n\nLocal Time: 1/2/2022 4:37:51\r\nTimeZone: UTC-0\r\n[Hardware]\r\nProcessor: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz\r\nCPU Count: 4\r\nRAM: 3583 MB\r\nVideoCard: Standard VGA Graphics Adapter\r\n[Processes]\r\n---------- System [4]\r\n------------------------------ smss.exe [260]\r\n- csrss.exe [544]\r\n- vidar.exe [1988]\r\n\u003c ... \u003e\r\n[Software]\r\nVLC media player [3.0.11]\r\nWinRAR 5.91 (32-bit) [5.91.0]\r\n\u003c ... \u003e\r\nOther payloadsPermalink\r\nVidar can download an executable file and execute it with ShellExecuteA.\r\nFirst Download\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 18 of 22\n\nThen Execute\r\nKill TaskPermalink\r\nVidar uses taskkill.exe to kill process. So when all the task of the stealer is finally accomplished and cleaned, the\r\nstealer needs to erase itself. So first of all, it retrieves its own PID with the help of GetCurrentProcessId.\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 19 of 22\n\nWhen the request is finely crafted, Vidar is simply using ShellExecuteA to pop a command shell and execute the\r\ntask, this erases all trace of the interaction of the payload on the machine and delete all downloaded DLLs.\r\nThe full command:\r\n\"C:/Windows/System32/cmd.exe\" /c taskkill /im vidar.exe /f \u0026 timeout /t 6 \u0026 del /f /q \"C:/Users/admin/AppData/L\r\nExfiltrationPermalink\r\nFile Generation\r\nI can’t understand well how malware generates the file name but It consists from ‘Machine ID + ??(random digits)\r\n+ .zip ‘\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 20 of 22\n\nThis at least, all the different Content-Disposition that will be added to the HTTP request.\r\nhwid Hardware ID\r\nos Operating System\r\nplatform 32 or 64 bits System\r\nprofile C2 Profile ID\r\nuser Name of the victim account\r\ncccount Number of Credit Cards stolen\r\nccount Number of Coins Stolen (CryptoWallet)\r\nfcount Number of files stolen\r\nver The version of the Vidar malware\r\nConclusionPermalink\r\nVidar always tries to steal your data as much as it can and its tasks vary from version to another. It was hard and\r\nexciting and I want to mention “This is my first Tech. report” and I will write more and more.\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 21 of 22\n\nFinally, Remember you can watch the video that I passed in the intro to see how it works from server side.\r\nYara RulesPermalink\r\nrule Vidar_Stealer : Vidar\r\n{\r\n meta:\r\n Author = \"eln0ty\"\r\n Description = \"Rule to detect Vidar\"\r\n Date = \"Feb 5, 2022\"\r\n strings:\r\n $mz = \"MZ\"\r\n $s1 = \"1BEF0A57BE110FD467A\" ascii\r\n $s2 = \"Version: %s\" ascii\r\n $s3 = \"Date: %s\" ascii\r\n $s4 = \"MachineID: %s\" ascii\r\n $s5 = \"GUID: %s\" ascii\r\n $s6 = \"HWID: %s\" ascii\r\n condition:\r\n ($mz at 0) and (all of ($s*))\r\n}\r\nSource: https://eln0ty.github.io/malware%20analysis/vidar/\r\nhttps://eln0ty.github.io/malware%20analysis/vidar/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://eln0ty.github.io/malware%20analysis/vidar/" ], "report_names": [ "vidar" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434175, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/91381e6c55aff079f406b2887bcc43e247a1d119.pdf", "text": "https://archive.orkl.eu/91381e6c55aff079f406b2887bcc43e247a1d119.txt", "img": "https://archive.orkl.eu/91381e6c55aff079f406b2887bcc43e247a1d119.jpg" } }