Vidar Analysis
We will analyze Vidar Infostealer, specifically for infostealing capabilities.
Summary
Vidar is an infostealer which gets distributed through an attachment of phishing email, cracked version of commercial software, or keygen program.
Vidar is known to steal following informations from infected machines.
- Text files
- Browser cookies
- Browsder histories
- Crytocurrency
- MFA data
Our sample for this malware drops quite a few executables, which we will not cover all in this analysis. In this analysis we will go over b7j26HFyAZ.exe(main executable), metina_3.exe, and metina_4.exe.
Hands On Analysis
As always, we will conduct this analysis in our VMware Windows 10 guest box with the following tools.
- IDA Freeware
- PE-Bear
- x64dbg
vid.exe(b7j26HFyAZ.exe)
This is the first executable retrieved from an attachment of phishing email, cracked software, or keygen program.
The file appears to be an executable file that is masquarading as 7-Zip installer.
As soon as we load the executable into x64dbg, we get the following.
This executable has few anti-analysis method during the analysis.
- GlobalMemoryStatusEx
This api was seen to be used during the analysis which is utilized to check the memory status of the infected machine. It checks whether the machine has less than 4GB of memory which can be an indication of that machine being VM.
- LoadLibrary and GetProcAddress
This is utilized often for dynamically loading a libraries.
- CrtDbgBreak
This malware appears to be C++ program and this is likely utilized for some debugging of a malware during the development phase.
This executable’s main functionality appears to be a dropper and it creates a directory with CreateDirectoryW with a name 7zS4E8D7B50 which is similar naming convention to temporary directory of 7zip.
With combinations of CreateFileW, WriteFile, and VirtualAlloc the malware have dropped the following files:
libcurl.dll
libcurlcpp.dll
libgcc_s_dw2-1.dll
libstdc++-6.dll
libwinpthread-1.dll
metina_1.exe (8414d9ce765e44a8e3d17714b167eca8)
metina_2.exe (3c77c51f3c6a25d438bf1791fb2b5ef9)
metina_3.exe (6410b3a5a3fbf2ed93c7d098d81f2048)
metina_4.exe (d62f03e94e1780c5462435b408573f76)
metina_5.exe (f642cc120e0fbce3d2165bb91a5dc86f)
metina_6.exe (8a9de67ac40187545bc4ea5712ad1df6)
setup_install.exe (9f96c400c631c3033cd170951bffb170)The malware appears to be dropping legitimate network protocols library “cURL” and this library is utilized in setup_install.exe for C2 communications.
One of the interesting method it used to dump one of the dlls was it dumped onto the stack instead of allocated memory by VirtualAlloc.
metina_3.exe
In this execution there were two memory allocations.
- Shellcode. This shellcode was allocated into memory for unpacking procedure.
- PE file memory allocation. This executable unpacks itself into this allocated memory, then overwrites each section with appropriate unpacked section.
After it completes unpacking, it proceeds to create a connection via wininet.dll related api calls.
The connection to api.faceit[.]com is attempted, which appears to be related gaming platform. This api is used by recent Vidar for initial C2 communication and it retrieves the C2 IP address dynamically by referencing “about” section.
However our executable failed to retrieve the IP address due to URI not existing anymore.
From further research, this malware appears to change the URI every few days.
From static analysis of an unpacked executable, it appears to be referencing following informations:
- Local Extension Settings and Sync Extension Settings
\\Local Extension Settings\\fhbohimaelbohpjbbldcngcnapndodjp
\\Sync Extension Settings\\ibnejdfjmmkpcnlpebklmnkoeoihofecBoth “Local Extension Settings” and “Sync Extension Settings” appears to be location of Chrome data where it stores relevant logs.
- Profiles
\\Mozilla\\Firefox\\profiles.iniMozilla Firefox profile stores user’s personal information such as bookmarks, passwords, and etc.
- Cryptocurrency
Following Cryptocurrency related data can be seen to be referenced by this executable.
BinanceChainWallet
TronLink
Wallets
*wallet*.dat
Coinomi
Atomic
multidoge
electroncash
Jaxx
Exodus
ElectrumLTC
EthereumOther data that was referenced by this executable were the following:
- Thunderbird profiles
- Firefox cookies via SQL lite
- Telegram
After referencing these data, it is assumed to be dumped out to text data as shown in the following figure.
metina_4.exe
This executable appears to have two main functionalities:
- Dropping of malicious files
- C2 communications
Dropping of malicious file
From referencing this executable’s resource section, it has another binary located which appears to be UPX packed.
From this resource section, this executable drops the following file:
C:\Users\<usrename>\AppData\Local\Temp\jfiag3g_gg.exeWhen this file is unpacked, we can view following information from the resource section.
00 00 00 00 56 02 00 00 01 00 53 00 74 00 72 00 ....V.....S.t.r.
69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 i.n.g.F.i.l.e.I.
6E 00 66 00 6F 00 00 00 32 02 00 00 01 00 30 00 n.f.o...2.....0.
34 00 30 00 39 00 30 00 34 00 62 00 30 00 00 00 4.0.9.0.4.b.0...
30 00 08 00 01 00 43 00 6F 00 6D 00 70 00 61 00 0.....C.o.m.p.a.
6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 n.y.N.a.m.e.....
4E 00 69 00 72 00 53 00 6F 00 66 00 74 00 00 00 N.i.r.S.o.f.t...
4C 00 12 00 01 00 46 00 69 00 6C 00 65 00 44 00 L.....F.i.l.e.D.
65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 e.s.c.r.i.p.t.i.
6F 00 6E 00 00 00 00 00 43 00 68 00 72 00 6F 00 o.n.....C.h.r.o.
6D 00 65 00 43 00 6F 00 6F 00 6B 00 69 00 65 00 m.e.C.o.o.k.i.e.
73 00 56 00 69 00 65 00 77 00 00 00 2A 00 05 00 s.V.i.e.w...*...
01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 ..F.i.l.e.V.e.r.
73 00 69 00 6F 00 6E 00 00 00 00 00 31 00 2E 00 s.i.o.n.....1...
36 00 30 00 00 00 00 00 44 00 12 00 01 00 49 00 6.0.....D.....I.
6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 n.t.e.r.n.a.l.N.
61 00 6D 00 65 00 00 00 43 00 68 00 72 00 6F 00 a.m.e...C.h.r.o.
6D 00 65 00 43 00 6F 00 6F 00 6B 00 69 00 65 00 m.e.C.o.o.k.i.e.
73 00 56 00 69 00 65 00 77 00 00 00 68 00 22 00 s.V.i.e.w...h.".
01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 ..L.e.g.a.l.C.o.
70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
74 00 20 00 A9 00 20 00 32 00 30 00 31 00 31 00 t. .©. .2.0.1.1.
20 00 2D 00 20 00 32 00 30 00 32 00 30 00 20 00 .-. .2.0.2.0. .
4E 00 69 00 72 00 20 00 53 00 6F 00 66 00 65 00 N.i.r. .S.o.f.e.
72 00 00 00 54 00 16 00 01 00 4F 00 72 00 69 00 r...T.....O.r.i.
67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 g.i.n.a.l.F.i.l.
65 00 6E 00 61 00 6D 00 65 00 00 00 43 00 68 00 e.n.a.m.e...C.h.
72 00 6F 00 6D 00 65 00 43 00 6F 00 6F 00 6B 00 r.o.m.e.C.o.o.k.
69 00 65 00 73 00 56 00 69 00 65 00 77 00 2E 00 i.e.s.V.i.e.w...
65 00 78 00 65 00 00 00 44 00 12 00 01 00 50 00 e.x.e...D.....P.
72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 r.o.d.u.c.t.N.a.
6D 00 65 00 00 00 00 00 43 00 68 00 72 00 6F 00 m.e.....C.h.r.o.
6D 00 65 00 43 00 6F 00 6F 00 6B 00 69 00 65 00 m.e.C.o.o.k.i.e.
73 00 56 00 69 00 65 00 77 00 00 00 2E 00 05 00 s.V.i.e.w.......
01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 ..P.r.o.d.u.c.t.
56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 V.e.r.s.i.o.n...
31 00 2E 00 36 00 30 00 00 00 00 00 44 00 00 00 1...6.0.....D...
01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 ..V.a.r.F.i.l.e.
49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 I.n.f.o.....$...
00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 ..T.r.a.n.s.l.a.
74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 B0 04 t.i.o.n.......°.Looking at the above this file appears to be packed ChromeCookiesView by NirSoft. This is more evident from the file hash and the commandline that it gets executed with:
"C:\\Users\\GORILL~1\\AppData\\Local\\Temp\\jfiag3g_gg.exe /scookiestxt C:\\Users\\GORILL~1\\AppData\\Local\\Temp\\fj4ghga23_fsa.txt"The commandline appears to be saving the cookies list in fj4ghga23_fsa.txt. from Google Chrome.
※ metina_4.exe also appears to unpack NirSoft’s EdgeCookiesView as well.
Once execution of jfiag3g_gg.exe is completed, it will be deleted by metina_4.exe and reads in the cookie information from fj4ghga23_fsa.txt.
These cookies information will be later used by connection it will be making.
External communications
This external communication are done through functions from WINHTTP.dll and it appears to communicate with following domains.
- ip-api[.]com
ip-api[.]com is an opensource api that will return the IP and GeoLocation of a machine. It creates a connection through WinHTTPConnect function and it appears to retrieve the following information of a machine.
{
"status", "country", "countryCode", "region", "regionName", "city", "zip", "lat", "lon", "timezone", "isp", "org", "as", "query"
}- facebook[.]com
The executable also creates a legitimate call to Facebook related API calls as we can see in the Figure 12. The following API calls are retrieving Facebook account information, friends list of accounts and many more relevant to that user.
It appears to bypass authentication by utilizing cookie information it retrieved from jfiag3g_gg.exe. However this will only succeeds if the user have been accessing Facebook on the machine.
- uyg5wye.2ihsfa[.]com
This domain appears to be C2 server that this executable utilizes. It first creates a connection through the following URL.
http://uyg5wye.2ihsfa[.]com/api/fbtimeFrom the above URL, the C2 responds with following data.
It is assumed these data are used for further infostealing capabilities
Conclusion
The malware appears to retrieves wide variety of information on that machine. Once infected with this malware, there will be some data stolen from that machine. To prevent these infection it is always recommended to not use any cracked/keygen software and also educate ourselves more about phishing email. However one thing I did notice during my analysis was that Microsoft Windows Defender did identify the executable I was analyzing malicious and tried to remove it with real-time detection.
