Vidar Malware Analysis

The script creates the %LOCALAPPDATA% directory if it doesn't already exist. The Out-Null cmdlet suppresses any output to maintain stealth during execution.

This establishes the target location where the malware payload will be saved.

The script executes three critical commands:

1. Download: Retrieves the malware from https://vx-events.com/build.exe. If this fails, the process terminates.
2. Folder Hiding: Conceals the C:\Users\<user>\AppData\Local directory from standard view.
3. File Hiding: Hides the downloaded executable C:\Users\<user>\AppData\Local\updater.exe.

The dropper implements sophisticated defense evasion through a custom Add-Exclusion function:

The Add-MpPreference cmdlet modifies Windows Defender settings, attempting to add an exclusion path for: C:\Users\<user>\AppData\Local\updater.exe

Start-Process launches the malware with these parameters:

• Window Style: Hidden (maintains stealth)
• Privileges: Run as Administrator
• Wait Parameter: Suppresses the command prompt until process completion

The finally block performs cleanup operations, removes traces, displays a decoy message to the user, and terminates the script.

For dynamic analysis, I placed updater.exe in %LOCALAPPDATA%, disabled "DLL can move" in DLL characteristics, and loaded the sample into x32dbg.

String analysis reveals the malware's command and control infrastructure:

The strings indicate that the malware uses the third entry as its user agent string for HTTP communications.

A critical component of Vidar's operation involves CreateProcessW, which spawns a duplicate process from the same directory. This technique serves multiple purposes:

• Detection Avoidance: Complicates analysis by distributing functionality across processes
• Memory Injection: The parent process writes malicious code into the child process memory space

The analysis reveals:

• Process Handle: 0x43C (child process)
• Source Address: 0x3FC0E60 (data location)
• Target Address: 0x400000 (injection point)
• Size: 0x400 bytes per operation

The WriteProcessMemory operation executes repeatedly, typically seven consecutive times:

Rather than documenting every WriteProcessMemory call, analysts can examine the complete injected code at 0x400000 in the child process. The final injection address varies but was observed at 0xE4F008 during this analysis.

The ResumeThread function activates the injected logger process. At this point, I attached a debugger to the child process and continued execution in the parent.

String analysis of the child process reveals dependencies on 149 functions across multiple system libraries:

• kernel32, ntdll, advapi32, user32, gdi32, shell32, ole32, ws2_32, shlwapi, wininet, bcrypt, dbghelp, msvcrt

The core malicious functionality begins at 0x417210. Due to extensive control flow obfuscation with numerous conditional jumps, step-by-step analysis proves challenging. A more effective approach involves setting breakpoints on key API functions.

During execution, the malware creates a randomly named directory under C:\ProgramData\ (observed: y5ppz).

The malware performs URL parsing and HTTP communications:

1. URL Parsing: InternetCrackUrlA processes https://t.me/l793oy
2. Connection Establishment: InternetConnectA connects to t.me using handles from InternetOpenA
3. HTTP Requests: HttpOpenRequestA sends requests to the Telegram URL

Following the Telegram communication, the malware contacts https://e.mx.goldenloafuae.com, which appears to be the primary C2 server. This URL was not identified by some sandbox environments, and the server was offline during analysis.

Since https://e.mx.goldenloafuae.com was operational, encrypted data exchange between the malware and C2 was confirmed.

The malware queries specific browser data locations:

"C:\\Users\\eyes\\AppData\\Local\\Google\\Chrome\\User Data\\*.*"
"C:\\Users\\eyes\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn\\*.*"

Discovered files are copied to the malware-created directory using CopyFileA:

Source: "C:\\Users\\eyes\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn\\000004.log"

Destination: "C:\\ProgramData\\y5ppz\\jmgvk6ppph4e"

After successful exfiltration, the malware deletes the copied files to minimize forensic evidence.

The malware targets multiple browsers for credential and data theft:

Microsoft Edge (\Microsoft\Edge Beta\User Data), Google Chrome (\Google\Chrome SxS\User Data), Microsoft Edge SxS (\Microsoft\Edge SxS\User Data), Epic Privacy Browser (\Epic Privacy Browser\User Data), CocCoc Browser (\CocCoc\Browser\User Data)

The extension targeting focuses on 35 different cryptocurrency wallets and password managers:

Major Wallets: MetaMask, Trust Wallet, Bitwarden, Authenticator, SafePal Wallet

TON Ecosystem: TON Wallet, MyTonWallet

Multi-Chain Wallets: OKX Web3 Wallet, Rainbow Wallet, Frontier Wallet, Bitget Wallet, Backpack Wallet

Solana Ecosystem: Solflare, Backpack Wallet

Cardano Ecosystem: GeroWallet, NamiWallet, Talisman Wallet

Specialized Wallets: Alephium Wallet, Hashpack, Leap Terra, Oxygen (Atomic), Ecto Wallet, Morphis Wallet, UniSat Wallet, Pontem Wallet, Xverse Wallet, Venom Wallet, PaliWallet, Fluvi Wallet, HAVAH Wallet, OpenMask Wallet, KardiaChain, RoninWalletEdge, KeePass Tusk, CyanoWallet, Ronin Wallet