When I first got this malware sample, I thought this is a new variant of azorult because the strings, some code are really the same but this malware does some features that azorult not and vice versa. This malware family is known to be named as VIDAR that try to steal some sensitive information of the machine, browser, bitcoin wallet and etc.
Kill Switch:
The first part of this malware is a kill switch where it will exit its code if the LocaleName is either of the following:ru-Ru - Russian
be-BY - Belarusian
uz-UZ - Uzbekistan
kk-KZ - Kazakhstan
az-AZ - Azerbaijan
resource: http://www.lingoes.net/en/translator/langcode.htm
If LocaleName is not of those list, it will create a Mutex name base on the HardwareGUID & machineGUID of the infected machine.
figure 1: the Kill switch |
Other Behavior:
It will now initialized a bunch of strings and command that are may used as IOC for this malware.figure 2: part of string initialization |
figure 3: the generated folder for the information it steal. |
the it will try to contact “http://ip-api.com/line/” url link to retrieve some network information of the infected machine and log it to a “information.txt”.
figure 4: retrieving network information |
The “files/information.txt” also contains other several sensitive information of the infected machine that will be soon send to its C&C server. The way it parse this stuff is really interesting, most of them are parse within registry or by using Windows API.
figure 5: information.txt |
It also has features to steal in some know bitcoin wallet: Ethereum, Electrum, ElectronCash, Exodus, MultiDoge, JAXX.
figure 6: bitcoin wallet parsing |
figure 7: checking substring in wallet.dat |
figure 7: creating screenshots |
figure 9: parsing credentials in different browsers |
figure 10: nss3.dll for parsing sqlite db of browser |
figure 11: delete foot prints |
Then it it will send a post command to its C&C server that contains the zip of all logs it parsed in the infected machine.
Conclusion:
This malware is really show some interesting stuff how to grab some sensitive information within a windows system and taking advantage several browser and wallet information.
IOC :
Sha1: 29818d101ebd8216bcaf627b4a5a0bcb753343adSha256: 076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c
YARA :
import "pe"rule vidar_win32_unpack {
meta:
author = “tcontre”
description = “detecting vidar unpack malware”
date = “2019-03-11”
sha256 = “076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c”
strings:
$mz = { 4d 5a }
$s1 = “SELECT host, name, value FROM moz_cookies” fullword
$s2 = “Vidar Version:” fullword
$s3 = “card_number_encrypted FROM credit_cards” fullword
$c0 = “softokn3.dll” fullword
$c1 = “nss3.dll” fullword
$c2 = “mozglue.dll” fullword
$c3 = “freebl3.dll” fullword
$code1 = { C6 45 FC 30 E8 ?? ?? ?? ?? 83 78 14 08 C6 45 FC 31 72 02 }
condition:
($mz at 0) and all of ($s*) and 2 of ($c*) and all of ($code*)
}
Article Link: https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html