{ "id": "843b2971-0d02-4aa4-9b6b-43e38e5abac2", "created_at": "2026-04-06T00:15:01.681099Z", "updated_at": "2026-04-10T03:20:20.199009Z", "deleted_at": null, "sha1_hash": "a25ae77546f44e0a66bf4098198d6c59007f0473", "title": "eSentire Threat Intelligence Malware Analysis: Vidar Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 14942471, "plain_text": "eSentire Threat Intelligence Malware Analysis: Vidar Stealer\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 13:38:45 UTC\r\nVidar Stealer is an information stealer (infostealer) malware that first appeared on hacking forums at the end of\r\n2018. It’s typically spread through the use of drive-by social engineering techniques wherein the victim visits a\r\nmalicious webpage and unknowingly downloads the malware payload. In comparison to other infostealers, Vidar\r\nStealer has a significantly higher subscription price largely due to its successful infection rate (above 75%) and the\r\nfact that new domains for the payloads are renewed in 3-4 days.\r\nThis malware analysis delves deeper into the technical details of how the Vidar Stealer malware operates and our\r\nsecurity recommendations to protect your organization from being exploited.\r\nKey Takeaways\r\nIn 2022, Vidar Stealer was the second most used infostealer malware on the Dark Web, based on the\r\nnumber of logs sold in Dark Web forums, meaning that threat actors are both having success with\r\ndeploying the stealer into networks and spreading the stealer across the Internet.\r\nBased on our analysis, Vidar Stealer does not include country checks, which means it is able to infect\r\ncountries within The Commonwealth of Independent States (CIS).\r\nThe threat actor(s) are actively using social media accounts to host their Command and Control (C2)\r\nservers.\r\nThe current versions of Vidar Stealer do not store the exfiltrated data on the victims’ disk.\r\nNew versions of Vidar Stealer use XOR string encryption instead of RC4. Each string is encrypted with a\r\ndifferent XOR key.\r\nThe new version of Vidar Stealer (56.1) includes Signal Messenger for data exfiltration.\r\nCase Study: Vidar Stealer\r\neSentire Threat Response Unit (TRU) has observed numerous Vidar infections in enterprise software, Retail,\r\nBusiness Services, and Real Estate industries. We have also observed the stealer being delivered in a BatLoader\r\ncampaign upon successful infection. The stealer is also capable of deleting itself after the infection.\r\nThe first mention of the stealer appeared on hacking forums at the end of 2018 (Figure 1).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 1 of 30\n\nFigure 1: Vidar Stealer seller’s post translated from Russian\r\nThe Vidar Stealer subscription price is significantly higher than other stealers such as Redline, Mars Stealer and\r\nRaccoon Stealer (Figure 2).\r\nFigure 2: Subscription price for Vidar Stealer\r\nIn a forum post, the malware author explained the high subscription price due to multiple features that include:\r\nThe successful infection rate (successful log delivery), which is also commonly called as “otstuk”\r\n(“отстук”) among native Russian speakers, is above 75%.\r\nNew domains for the builders (payloads) are renewed once in 3-4 days with the previous ones remaining\r\nintact.\r\nThe feature of the stealer generating and hosting their own domains/IPs for the builders makes it very convenient\r\nfor the buyers as there is no need to spin up a VPS server and maintain it to receive the logs compared to other\r\nstealers.\r\nVidar Stealer is commonly confused as a variant of Arkei Stealer due to the code similarities but the developer\r\nclaims that Arkei and Vidar are not related to each other. In December 2022, based on the Dark Web marketing\r\nknown as ‘Russianmarket’, Vidar Stealer was the second most used Stealer on the Dark Web, with Redline Stealer\r\nbeing the number one stealer (Figure 3).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 2 of 30\n\nFigure 3: Number of logs are getting sold on russianmarket\r\nAll the stolen logs are then sent to the Admin panel that is browser-based. The end-user would need an invitation\r\ncode to register and purchase the subscription without directly interacting with the seller on Telegram (Figure 4).\r\nFigure 4: Vidar Stealer C2 Panel\r\nVidar Stealer spreads through drive-by downloads – users visit the website hosting a malicious stealer payload;\r\ntypically it’s a fake cracked software or fake installers. The stealer also uses GitHub as a repository to host the\r\npayloads. That way the attacker(s) will receive the direct link to the payload file that they can send over to installer\r\nbots/providers (services that provide the mass spreading of the payload) (Figure 5).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 3 of 30\n\nFigure 5: Manual for uploading stealer payloads to GitHub (translated from Russian in-browser)\r\nIt is worth mentioning that most Vidar Stealer users are using installer services to spread the stealer, which was\r\nlikely the case with the Vidar stealer infection in Ukraine reported by CERT-UA, where the user visited the fake\r\nAdvanced IP Scanner landing page.\r\nVidar Stealer Panel Review\r\nOne of the main sections of the panel is Settings, where the threat actor can specify what additional information,\r\nthey want to exfiltrate from the infected host including Telegram logs, cryptocurrency wallets, browser history and\r\ndownloads, screenshots, Steam, and Discord logs (Figure 6).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 4 of 30\n\nFigure 6: Settings panel\r\nThe grabber module allows an attacker to harvest files under the following folders (Figure 7):\r\n%DESKTOP%\r\nC:\\Users\\\u003cusername\u003e\\Documents\r\n%DRIVE_FIXED% (all drives on the machine)\r\n%DRIVE_REMOVABLE% (removable drives)\r\n%USERPROFILE%\r\n%APPDATA%\r\n%LOCALAPPDATA%\r\nC:\\Program Files (x86)\r\nC:\\Program Files\r\nC:\\Users\\\u003cusername\u003e\\Recent\r\nFigure 7: Grabber module\r\nThe stealer contains a non-resident loader module. There are two kinds of loaders that are commonly mentioned\r\nby Russian native speakers:\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 5 of 30\n\nNon-resident loader – the loader deletes itself after successful infection.\r\nResident loader – upon starting, the loader creates the persistence on the infected host via Registry Run\r\nKeys, Startup folder, and service creation.\r\nThe loader module only supports .exe binaries that are grabbed from the URL the attacker specifies. The attacker\r\ncan specify to which country the loader can be applied to (Figure 8).\r\nFigure 8: Loader module\r\nThe stealer builder is constantly getting updated including the “Defender cleaning”, which means that the builder\r\ngets modified once a week, so Windows Defender is less likely to detect it (Figure 9).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 6 of 30\n\nFigure 9: Builder updates\r\nThe logs panel allows the malicious actor to easily navigate through logs and access them directly within the\r\nportal without having to download them to their machine (Figure 10).\r\nFigure 10: Logs panel enabling attacker(s) to view the host information, screenshot and retrieved\r\nfiles directly in-browser\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 7 of 30\n\nThe Services section automatically parses the stolen data including banking information, SMTP, Cpanel and\r\nWordPress credentials (Figure 11).\r\nFigure 11: Services section\r\nCompromised credentials for Cpanel and WordPress can be bought and used by other malicious actor(s) to spread\r\ntheir malware via the drive-by downloads.\r\nOne of the main features of Vidar Stealer is that it provides malicious users an option to set up their own domains\r\n(Figures 12-13), which is known as “gasket” or “pads”.\r\nFigure 12: Personal Domain Configuration Tab\r\nPads, or gaskets, is an intermediate server set for the stealer to communicate with as a Command and Control (C2)\r\nserver and send the exfiltrated logs to. The standard ports for C2 communications are HTTP/80 and HTTPS/443.\r\nThe malicious actor can host the C2 server on Telegram or Mastodon as the pads. Telegram and Mastodon allow\r\nthe user to change the IPs on the fly by editing the profile description. With Telegram, the malicious actor can\r\ncreate a channel and add the IP and port in the description, for example hello http://IP:80| (Figure 13).\r\nFigure 13: Instruction on how to setup the personal pad\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 8 of 30\n\nAn example of an attacker’s Telegram C2 channel is shown in Figure 14.\r\nFigure 14: Attacker's Telegram channel\r\nExamples of Mastodon websites where an attacker can host their C2 include:\r\nhttps://c.im/\r\nhttps://indieweb.social/\r\nhttps://busshi.moe/\r\nhttps://koyu.space/\r\nhttps://mastodon.online/\r\nhttps://ioc.exchange/\r\nhttps://nerdculture.de/\r\nThe scheme works the same way as for Mastadon; an attacker inputs their C2 IP into the profile description field\r\nas shown in Figure 15. The threat actors have also been using Steam and TikTok accounts to host the C2.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 9 of 30\n\nFigure 15: Attacker's C2 on the site running with Mastodon engine\r\nVidar Stealer Binary Review\r\nVidar Stealer binary is written in C++ programming language. The payload generated from Vidar Stealer Panel\r\ncontains strings that are encoded with XOR keys. The XOR key is different for each string. In the binaries we\r\nhave observed on clients’ environments (MD5: 810aa0d8faf41720af07153258c05b77), most payloads were using\r\nRC4 for string encryption.\r\nWe assume that the payloads with RC4 encryption are from the older version. The comparison of the decompiled\r\ncodes containing the encoding/encryption functions for Vidar payload generated from the panel (on the left) and\r\nthe one that we have observed on infected machines (on the right) (Figure 16).\r\nFigure 16: Encoding/encryption from two Vidar samples\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 10 of 30\n\nThe second binary contains an embedded RC4 key as shown in Figure 17. The encrypted hex strings are base64-\r\nencoded.\r\nFigure 17: Embedded RC4 key from the second payload\r\nInteresting enough, both payloads still have unencrypted strings embedded in the payloads (Figure 18) including\r\nthe cryptocurrency browser extensions and some crypto wallets, attacker’s C2, the text files generated from\r\ncollecting the user’s browsing data, etc.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 11 of 30\n\nFigure 18: Plaintext strings observed in the second payload\r\nWe will proceed with the analysis of the payload generated from C2 panel with the builder version 55.6 which is\r\nthe latest one at the time of writing the report. The payload we have observed on the infected hosts from the\r\nBatLoader campaign are on version 54.7.\r\nThere are two XOR-decryption tables in the binary, one is responsible for decrypting the API functions and\r\nsandbox name checks, the other table decrypts the rest of the stealer strings. In order to complete this analysis, we\r\nwrote a script to decrypt the strings within the stealer binary. The stealer searches for the cryptowallet extensions\r\nin Chrome browser and extracts the CURRENT file within the %appdatalocal%\\Google\\Chrome\\User\r\nData\\Default\\Local Extension Settings\\\u003cextension_name\u003e directory (Figure 19).\r\nFigure 19: XOR tables\r\nVidar is also enumerating JSON and wallet.dat files (Figure 20).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 12 of 30\n\nFigure 20: Function responsible for cryptowallet extension search\r\nThe JSON file is also known as Keystore file that stores the private key of the cryptowallet in an encrypted format.\r\nThe wallet DAT file contains transaction information, key metadata, private \u0026 public keys, and can be in an\r\nunencrypted or encrypted format. If it is encrypted but protected with a weak password, the attacker may be able\r\nto crack it (Figure 21).\r\nFigure 21: Cryptowallet search (wallet DAT files)\r\nThe list of cryptowallet extensions that Vidar attempts to steal:\r\nCryptowallet Name Browser Extension\r\nTronLink ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nMetaMask nkbihfbeogaeaoehlefnkodbefgpgknn\r\nBinanceChainWallet fhbohimaelbohpjbbldcngcnapndodjp\r\nYoroi ffnbelfdoeiohenkjibnmadjiehjhajb\r\nNiftyWallet jbdaocneiiinmjbjlgalhcelgbejmnid\r\nMathWallet afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nCoinbcase hnfanknocfeofbddgcijnmhnfnkdnaad\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 13 of 30\n\nGuarda hpglfhgfnhbgpjdenjgmdgoeiappafln\r\nEQUALWallet blnieiiffboillknjnepogjhkgnoapac\r\nJaxxLiberty cjelfplplebdjjenllpjcblmjkfcffne\r\nBitAppWallet fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\niWallet kncchdigobghenbbaddojjnnaogfppfj\r\nWombat amkmjjmmflddogmhpjloimipbofnfjih\r\nMewCx / Enkrypt nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nGuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj\r\nRoninWallet fnjhmkhhmkbjkkabndcnnogagogbneec\r\nRoninWalletEdge kjmoohlgokccodicjjfebfomlbljgfhk\r\nNeoLine cphhlgmgameodnhkjdmkpanlelnlohao\r\nCloverWallet (CLV Wallet) nhnkbkgjikgcigadomkphalanndcapjk\r\nLiqualityWallet kpfopkelmapcoipemfendmdcghnegimn\r\nTerra Station aiifbnbfobpmeekipheeijimdpnlpgpp\r\nKeplr dmkamcknogkgcdfhhbddcghachkejeap\r\nSollet fhmfendgdocmcbmfikdcogofphimnkno\r\nAuroWallet cnmamaachppnkjgnildpdmkaakejnhae\r\nPolymeshWallet jojhfeoedkpkglbfimdfabpdfjaoolaf\r\nICONex flpiciilemghbmfalicajoolhkkenfel\r\nHarmony fnnegphlobjdpkhecapkijjdkgcjhkib\r\nCoin98 aeachknmefphepccionboohckonoeemg\r\nEVER Wallet cgeeodpfagjceefieflmdfphplkenlfk\r\nKardiaChain pdadjkfkgcafgbceimcpbkalnfnepbnk\r\nRabby acmacodkjbdgmoleebolmdjonilkdbch\r\nPhantom bfnaelmomeimhlpmgjnjophhpkkoljpa\r\nBrave Wallet odbfpeeihdkbihmopkbjmoonfanlbfcl\r\nMetaMask ejbalbakoplchlghecdalmeeeajnimhm\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 14 of 30\n\nOxygen (Atomic) fhilaheimglignddkjgofkcbgekhenbh\r\nPaliWallet mgffkfbidihjpoaomajlbgchddlicgpn\r\nBoltX aodkkagnadcbobfpggfnjeongemjbjca\r\nXdefiWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf\r\nNamiWallet lpfcbjknijpeeillifnkikgncikgfhdo\r\nMaiarDeFiWallet dngmlblcodfobpdpecaadgfbcggfjfnm\r\nWavesKeeper lpilbniiabackdjcionkobglmddfbcjo\r\nSolflare bhhhlbepdkbapadjdnnojkbgioiodbic\r\nCyanoWallet dkdedlpgdmmkkfjabffeganieamfklkm\r\nKHC hcflpincpppdclinealmandijcmnkbgn\r\nTezBox mnfifefkajgofkcjkemidiaecocnkjeh\r\nTemple ookjlbkiijinhpmnjffcofjonbfbgaoc\r\nGoby jnkelfanjkeadonecabehalmbgpfodjm\r\nAdditionally, the stealer grabs the leveldb files and wallet folder for Jaxx, Daedalus Mainnet, Wasabi,\r\nBlockstream, Dogecoin, Binance, Ravencoin, and Ledger Live cryptowallets.\r\nFor Mozilla Firefox password decryption process, the stealer looks for files such as cookies.sqlite,\r\nformhistory.sqlite, logins.json, and places.sqlite:\r\nCookies.sqlite – stores the cookies.\r\nFormhistory.sqlite – stores the forms that the user has entered webpages.\r\nLogins.json – stores the encrypted usernames and passwords.\r\nPlaces.sqlite – stores the bookmarks, browsing history and keywords.\r\nIf cookies.sqlite is found, the stealer then proceeds to use SQLite to extract the cookies using the query SELECT\r\nhost, isHttpOnly, path, isSecure, expiry, name, and value FROM moz_cookies (moz_cookies table contains the\r\ncookie information) (Figure 22).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 15 of 30\n\nFigure 22: Extracting the cookies\r\nThen, it will proceed to look for formhistory.sqlite and if the latest was found, the stealer starts extracting the\r\nAutofill data using SQLite functions and outputs the data in a text file for exfiltration (Figure 23).\r\nFigure 23: The stealer proceeds with extracting the Autofill data if the form.sqlite is found\r\nAfter successfully decrypting the password, Vidar stealer appends the “Soft:” (Browser name) and “Host:”\r\n(domain) fields to the text file along with extracted logins and passwords.\r\nFor logins.json, the stealer calls NSS_Init() function that initializes the NSS library and extracts the parameters\r\nsuch as encryptedUsername, encryptedPassword, formSubmitURL. The stealer then proceeds with decrypting the\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 16 of 30\n\nfields using the NSS library cryptography functions such as PK11SDR_Decrypt, PK11_GetInternalKeySlot and\r\nPK11_Authenticate (Figure 24).\r\nFigure 24: Decrypting the encrypted data within logins.json\r\nTo extract browsing history, the stealer utilizes the query SELECT url FROM moz_places (moz_tables contain the\r\nlist of the URLs that the user visited). After successfully extracting the browsing data, the stealer appends them to\r\na History.txt file (Figure 25).\r\nFigure 25: Extracting the browsing data\r\nIt’s worth noting that prior to decrypting the browser credentials, cookies and extracting sensitive information, the\r\nstealer looks for profiles.ini file under %appdata%\\mozilla\\firefox\\profiles\\ (Mozilla Firefox),\r\n%appdata%\\Moonchild Productions\\Pale Moon\\Profiles\\ (Pale Moon), %appdata%\\Thunderbird\\Profiles\\\r\n(Thunderbird). The .INI file contains the information of user profiles. Vidar stealer then gets the DLL\r\ndependencies such as vcruntime140.dll, softokn3.dll, nss3.dll, msvcp140.dll, mozglue.dll, and freebl3.dll (Figure\r\n26).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 17 of 30\n\nFigure 26: Getting the profile.ini and DLL dependencies\r\nMost stealers require the mentioned dependencies to function properly. You can refer to our blog on Mars Stealer\r\nto read about the DLLs mentioned. The DLL dependencies are downloaded from the C2 server within the ZIP\r\narchive, the ZIP archive name contains 19 random hexadecimal numbers and is extracted to ProgramData folder.\r\nPlease note that the ZIP archive can also contain the name “update.zip” if the threat actor decides to set up and\r\nhost their personal panel.\r\nTo extract FileZilla credentials, the stealer reads the recentservers.xml file on the host. The passwords are base64-\r\nencoded, so all the threat actor needs to do is to decode them to cleartext to further abuse the victims accounts.\r\nFileZilla stores credentials in two places, recentservers.xml saves the credentials that were entered via the quick\r\nconnect bar, sitemanager.xml saves the credentials that were configured within the site manager. After successfully\r\nextracting the credentials, the data will be saved in the format:\r\nSoft: FileZilla\r\nHost: :port\r\nLogin:\r\nPassword:\r\nThe stealer also retrieves sensitive files from Authy Desktop (two-factor authentication application) such as .log,\r\nMAFINEST, LOG, LOCK and CURRENT files under the path AppData\\Roaming\\Authy Desktop\\Local\r\nStorage\\leveldb and copies them to the Soft\\Authy Desktop folder that will be archived to be sent to the attacker.\r\nBesides Authy Desktop, the stealer also exfiltrates data from Google Authenticator browser extension, EOS\r\nAuthenticator, and GAuth Authenticator (Figure 27).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 18 of 30\n\nFigure 27: Vidar Stealer extracts Authy Desktop sensitive data\r\nVidar will exfiltrate data from Telegram, Discord, Chrome, and Steam in the following manners:\r\nTelegram: Vidar Stealer exfiltrates the files such as key_datas, maps, A7FDF864FBC10B77,\r\nA92DAA6EA6F891F2, F8806DD0C461824F (Telegram encrypted data files) from\r\nAppData\\Roaming\\Telegram Desktop\\tdata folder. The attacker can then attempt to decrypt the files and\r\nextract sensitive information. The exfiltrated data is written to \\Soft\\Telegram\\ folder.\r\nDiscord: The stealer retrieves the files under AppData\\Roaming\\discord\\Local Storage\\leveldb and\r\nAppData\\Roaming\\discord\\Session Storage\\leveldb then it attempts to extract Discord tokens that will be\r\nwritten to \\Soft\\Discord\\discord_tokens.txt.\r\nChrome: In order to decrypt credentials saved in Chrome, the stealer retrieves the AES encrypted key\r\n(encrypted_key) in Google\\Chrome\\User Data\\Local State.\r\nSteam: The stealer queries the registry value SteamPath under\r\nHKEY_CURRENT_USER\\Software\\Valve\\Steam to obtain the full path to Steam on the machine. Then it\r\nstarts retrieving SSFN, config.vdf, DialogConfig.vdf, DialogConfigOverlay.vdf, libraryfolders.vdf,\r\nloginusers.vdf files that contain sensitive information. By obtaining the SSNF files, the attacker can bypass\r\nSteam Guard and get the full access to the account, considering that an attacker was able to obtain user’s\r\ncredentials.\r\nWith the version 56.1, Vidar also added data exfiltration for Signal Messenger.\r\nAs previously mentioned, Vidar Stealer has a loader module that allows a malicious actor to push additional\r\nmalware on the machine. The additional malware retrieved from a C2 with the help of a loader module will be\r\nplaced under ProgramData folder.\r\nFirst, the stealer checks if the URL to retrieve the payload is up and running (status code 200). If the link is valid,\r\nthe malware writes the secondary payload to the host and if not the stealer sleeps for 1000 milliseconds (Figure\r\n28).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 19 of 30\n\nFigure 28: Loader module\r\nThe emulation check is also present within the Vidar Stealer binary. The binary retrieves the name of the local\r\ncomputer and the username and if it matches “HAL9TH” or “JohnDoe” strings accordingly, the binary will exit.\r\nThe mentioned values are used by Windows Defender emulator (Figure 29).\r\nFigure 29: Emulation check\r\nThe stealer exfiltrates WinSCP credentials via looking up the Sessions value name under\r\nHKEY_CURRENT_USER\\Software\\Martin Prikryl\\WinSCP 2\\Sessions. But first, it checks if the user is using\r\nMaster Password for WinSCP, if not then it proceeds with extracting the username and encrypted password values.\r\nThe decrypting function and function responsible for extracting WinSCP credentials are shown in Figure 30.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 20 of 30\n\nFigure 30: Extracting WinSCP Sessions data and decrypting the passwords\r\nThe stealer is not able to decrypt the passwords if WinSCP is protected with a master password and will then only\r\nbe able to extract usernames.\r\nCredit card information can also be extracted from browsers via SQLite functions. For example, the stealer would\r\nlook for \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data path and extracts the credit card\r\ninformation with the query SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted\r\nFROM credit_cards, then it calls the functions BCryptDecrypt and CryptUnprotectData to decrypt the data.\r\nBesides the sensitive data exfiltration, the stealer also gathers the host information including:\r\nMachineID – the stealer locates the value under SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\r\nGUID – GUID is retrieved from calling the function GetCurrentHwProfileA which receives the\r\ninformation about the hardware profile)\r\nHWID – Figure 31 shows how the first 12 hexadecimal values are calculated based on the Volume Serial\r\nNumber that is retrieved via the GetVolumeInformationA function. Later the stealer appends 10 digits to it,\r\nand part of the GUID and MachineID values are also added to the HWID which makes it unique to each\r\ninfected host\r\nFigure 31: HWID calculation\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 21 of 30\n\nThe host information also contains the path where the stealer was executed, such as the OS version, computer\r\nname, username, display resolution, display language, keyboard languages, local time, time zone, hardware\r\ninformation, running processes and list of software installed on the host (Figure 32).\r\nFigure 32: Gathered host information that is sent out to C2\r\nVidar Stealer 3.6-3.7 Update\r\nStarting from version 3.6, which was released in April 2023, Vidar users can generate builds with embedded DLL\r\ndependencies. This has increased the size of the builds to 2.9MB, but it means that the DLL dependencies no\r\nlonger need to be retrieved from the C2 server. Instead, the ZIP archive containing the dependencies is already\r\nembedded within the executable.\r\nThis reduces the amount of suspicious activity on the network traffic. After extracting the DLLs, they will be\r\nplaced under C:\\ProgramData folder. Vidar users now also have the option to disable the self-deletion feature for\r\nthe stealer after successful execution, starting from update 3.7.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 22 of 30\n\nFigure 33: Vidar Stealer updates\r\nFigure 34: Embedded ZIP archive with DLL dependencies within the executable\r\nWith the latest build, the threat actor also switched from using XOR to using RC4 encryption with a hardcoded\r\nkey in the binary.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 23 of 30\n\nFigure 35: Hardcoded RC4 key\r\nWe wrote the IDAPython string decryption script for the latest Vidar Stealer build as well as the configuration\r\nextractor script.\r\nVidar Stealer C2 Communication\r\nAs mentioned before, Vidar Stealer uses HTTP/HTTPs for C2 communication. First, the infected machine receives\r\nthe ZIP archive from the C2 that contains DLL dependencies. The dependencies are extracted under ProgramData\r\nfolder.\r\nThe stealer configuration is also shown in the PCAP below (Figure 33). The configuration includes the grabber\r\nparameters. In our example, the stealer exfiltrates the .txt files under Documents folder and excludes\r\n‘movies:music:mp3’. 50 (KB) is the maximum size of the file that stealer grabs.\r\nFigure 36: Stealer configuration\r\nThe exfiltrated data is compressed in a ZIP archive and base64-encoded (Figure 37 in red). The POST data also\r\ncontains the profile value and profile ID which are hardcoded within the binary and the token value (Figure 37).\r\nFigure 37: POST data including the exfiltrated data\r\nHow eSentire is Responding\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 24 of 30\n\nOur Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to\r\ncreate practical outcomes for our customers. We are taking a comprehensive response approach to combat modern\r\ncybersecurity threats by deploying countermeasures, such as:\r\nPerforming global threat hunts for indicators associated with Vidar Stealer.\r\nImplementing threat detections to identify malicious command execution and ensure that eSentire has\r\nvisibility and detections are in place across eSentire MDR for Endpoint.\r\nOur detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center)\r\nanalysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and\r\nProcedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and\r\nconducts retroactive threat hunts to assess customer impact.\r\nRecommendations from eSentire’s Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against Vidar Stealer\r\nmalware:\r\nConfirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.\r\nImplement a Cyber Phishing and Security Awareness Training (PSAT) Program that educates and informs\r\nyour employees on emerging threats in the threat landscape.\r\nEncourage your employees to use password managers instead of using the password storage feature\r\nprovided by web browsers. Use master passwords where it’s applicable.\r\nWhile the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which\r\ncritical business decisions must be made. Preventing the various attack technique and tactics utilized by the\r\nmodern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint\r\ndetections, and the ability to investigate logs \u0026 network data during active intrusions.\r\neSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat\r\nintelligence and leverage new machine learning models that correlate multi-signal data and automate rapid\r\nresponse to advanced threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and\r\nput your business ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an\r\neSentire Security Specialist.\r\nAppendix\r\nhttps://cert.gov.ua/article/2724253\r\nhttps://twitter.com/ankit_anubhav/status/1588073956606550018?s=20\u0026t=cEI8GPRjfTd4FYqbzi3pWA\r\nhttps://twitter.com/ankit_anubhav/status/1595664080479535104?s=46\u0026t=agmu8eh2vry7HB3A78Ga5Q\r\nhttps://github.com/RussianPand...\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 25 of 30\n\nhttps://twitter.com/crep1x/status/1593360365240389633?s=20\u0026t=DADIky1LQTUvElJ2ZfnYcA\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getcurrenthwprofilea\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getvolumeinformationa\r\nhttps://github.com/RussianPanda95/IDAPython/blob/main/Vidar/Vidar_Stealer_3.7_RC4_string_decryption.py\r\nhttps://github.com/RussianPand...\r\nYara Rule\r\nrule Vidar_DLL_embedded {\r\n meta:\r\n author = \"eSentire Threat Intelligence\"\r\n description = \"Vidar Stealer with embedded DLL dependencies\"\r\n date = \"5/2/2023\"\r\n strings:\r\n $s = {50 4B 03 04 14 00 00 00 08 00 24 56 25 55 2B 6D 5C 08 39 7C 05}\r\n $a1 = \"https://t.me/mastersbots\"\r\n $a2 = \"https://steamcommunity.com/profiles/76561199501059503\"\r\n $a3 = \"%s\\\\%s\\\\Local Storage\\\\leveldb\"\r\n $a4 = \"\\\\Autofill\\\\%s_%s.txt\"\r\n $a5 = \"\\\\Downloads\\\\%s_%s.txt\"\r\n $a6 = \"\\\\CC\\\\%s_%s.txt\"\r\n $a7 = \"Exodus\\\\exodus.wallet\"\r\n condition:\r\n $s and 5 of ($a*)\r\n}\r\nIndicators of Compromise\r\nName Indicators\r\nVidar Stealer payload 810aa0d8faf41720af07153258c05b77\r\nC2 95.217.27[.]240\r\nC2 88.198.89[.]6\r\nC2 168.119.167[.]188\r\nC2 78.46.160[.]87\r\nVidar Stealer payload 783597870319e8fc1c818c5f13e28a0d\r\nMITRE ATT\u0026CK\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 26 of 30\n\nMITRE ATT\u0026CK\r\nTactic\r\nID\r\nMITRE ATT\u0026CK\r\nTechnique\r\nDescription\r\nMITRE ATT\u0026CK Tactic\r\nInitial Access\r\nID\r\nT1189\r\nMITRE ATT\u0026CK Technique\r\nDrive-by Compromise\r\nDescription\r\nVidar Stealer is delivered via malicious\r\nwebsites hosting the fake cracked or\r\npirated software.\r\nMITRE ATT\u0026CK Tactic\r\nUser Execution\r\nID\r\nT1204.002\r\nMITRE ATT\u0026CK Technique\r\nMalicious File\r\nDescription\r\nThe user launches the malicious file\r\nMITRE ATT\u0026CK Tactic\r\nVirtualization/Sandbox\r\nEvasion\r\nID\r\nT1497.001\r\nMITRE ATT\u0026CK Technique\r\nSystem Checks\r\nDescription\r\nThe stealer performs checks on\r\n“HAL9TH” or “JohnDoe” usernames\r\nthat are used by Windows Defender\r\nemulator\r\nMITRE ATT\u0026CK Tactic\r\nDefense Evasion\r\nID\r\nT1070.004\r\nMITRE ATT\u0026CK Technique\r\nIndicator RemovalFile\r\nDeletion\r\nDescription\r\nVidar Stealer deletes itself from the\r\nmachine after successful execution.\r\nMITRE ATT\u0026CK Tactic\r\nCredential Access\r\nID\r\nT1555\r\nT1555.003\r\nMITRE ATT\u0026CK Technique\r\nIndicator RemovalFile\r\nDeletion\r\nCredentials from\r\nPassword Stores\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers\r\nDescription\r\nVidar Stealer steals sensitive data from\r\nbrowsers including credentials, cookies\r\nand saved credit cards. It also steals\r\nSMTP, WordPress and FTP credentials.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 27 of 30\n\nMITRE ATT\u0026CK Tactic\r\nDiscovery\r\nID\r\nT1033\r\nT1518\r\nT1057\r\nT1614.001\r\nT1082\r\nMITRE ATT\u0026CK Technique\r\nSystem Owner/User\r\nDiscovery\r\nSoftware Discovery\r\nProcess Discovery\r\nSystem Location\r\nDiscovery: System\r\nLanguage Discovery\r\nSystem Information\r\nDiscovery\r\nDescription\r\nThe stealer enumerates the host for the\r\nusername and hardware information,\r\nrunning processes and installed\r\napplications as well as keyboard and\r\ndisplay languages.\r\nMITRE ATT\u0026CK Tactic\r\nCollection\r\nID\r\nT1113\r\nMITRE ATT\u0026CK Technique\r\nScreen Capture\r\nDescription\r\nThe stealer takes the screenshot from the\r\ninfected machine and sends it to the C2.\r\nMITRE ATT\u0026CK Tactic\r\nExfiltration\r\nID\r\nT1020\r\nMITRE ATT\u0026CK Technique\r\nAutomated\r\nExfiltration\r\nDescription\r\nThe stealer automatically exfiltrates the\r\ngathered files to C2, some file grabbing\r\noptions can be customized by an\r\nattacker.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 28 of 30\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 29 of 30\n\nSource: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer" ], "report_names": [ "esentire-threat-intelligence-malware-analysis-vidar-stealer" ], "threat_actors": [], "ts_created_at": 1775434501, "ts_updated_at": 1775791220, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a25ae77546f44e0a66bf4098198d6c59007f0473.pdf", "text": "https://archive.orkl.eu/a25ae77546f44e0a66bf4098198d6c59007f0473.txt", "img": "https://archive.orkl.eu/a25ae77546f44e0a66bf4098198d6c59007f0473.jpg" } }