Infor Stealer Vidar TrojanSpy Analysis...

When I first got this malware sample, I thought this is a new variant of azorult because the strings, some code are really the same but this malware does some features that azorult not and vice versa. This malware family is known to be named as VIDAR that try to steal some sensitive information of the machine, browser, bitcoin wallet and etc.

Kill Switch:

The first part of this malware is a kill switch where it will exit its code if the LocaleName is either of the following: 
ru-Ru - Russian
be-BY - Belarusian
uz-UZ - Uzbekistan
 kk-KZ - Kazakhstan
 az-AZ - Azerbaijan
resource: http://www.lingoes.net/en/translator/langcode.htm

If LocaleName is not of those list, it will create a Mutex name base on the HardwareGUID & machineGUID of the infected machine.

figure 1: the Kill switch

Other Behavior:

It will now initialized a bunch of strings and commands that can be use as IOC for this malware.

figure 2: part of string initialization

Then it will generate a random folder name in %programdata% directory and create a "files" folder inside it, that will contain all the information it will parse in the infected machine.

figure 3: the generated folder for  the information it steal.

then it will try to contact "http://ip-api.com/line/" to retrieve some network information of the infected machine and log it to a  "information.txt".

figure 4: retrieving network information

 The "files/information.txt" also contains several sensitive information of the infected machine that will be soon send to its C&C server. The way it parse this stuff is really interesting, most of them are parse within registry or by using Windows API.

figure 5: information.txt

It also has a features to steal some known bitcoin wallet: Ethereum, Electrum, ElectronCash, Exodus, MultiDoge, JAXX.

figure 6: bitcoin wallet parsing

It also do some sub-string check in wallet.dat for noteworthy strings.

figure 7: checking substring in wallet.dat

Can do some screenshots of the infected machine.

figure 7: creating screenshots

It also tries to parse some credentials within different browsers.

figure 9: parsing credentials in different browsers

and for browsers that using sql database for saving cookies, log-in information, history and etc. it will download several normal dll file from its C&C server to execute SQL command to parse those information.

figure 10: nss3.dll for parsing sqlite db of browser

after parsing all the sensitive information, it will delete all those dll's to erase its footprints in the machine.

figure 11: delete foot prints

it also has a function where it enumerate the outlook signature and look for "Password entry".

Then it it will send a post command to its C&C server that contains the zip of all logs it parsed in the infected machine.

Conclusion:  

This malware really show some interesting stuff how to grab some sensitive information within a windows system where it taking advantage several data keeps by browser, bitcoin wallet and many more.

IOC :

Sha1: 29818d101ebd8216bcaf627b4a5a0bcb753343ad
Sha256: 076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c

YARA :

import "pe"

rule vidar_win32_unpack {
    meta:
        author =  "tcontre"
        description = "detecting vidar unpack malware"
        date =  "2019-03-11"
        sha256 = "076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c"
 
    strings:
        $mz = { 4d 5a }
     
        $s1 = "SELECT host, name, value FROM moz_cookies" fullword     
        $s2 = "Vidar Version:" fullword
        $s3 = "card_number_encrypted FROM credit_cards" fullword

        $c0 = "softokn3.dll" fullword
        $c1 = "nss3.dll" fullword
        $c2 = "mozglue.dll" fullword
        $c3 = "freebl3.dll" fullword

        $code1 = { C6 45 FC 30 E8 ?? ?? ?? ?? 83 78 14 08 C6 45 FC 31 72 02 }
              
    condition:
        ($mz at 0) and all of ($s*) and 2 of ($c*) and all of ($code*)
     
    }