TrojanSpy.MSIL.VIDAR.LN

March 06, 2023
 Analysis by: Ricardo III Valdez
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It gathers certain information on the affected computer.

  TECHNICAL DETAILS

File Size:

491958096 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

22 Feb 2023

Payload:

Steals information, Deletes files, Collects system information

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following processes:

  • "%System%\cmd.exe" /c timeout /t 6 & del /f /q "{Malware File Path}\{Malware Filename}" & del %ProgramData%\*.dll & exit

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Other System Modifications

This Trojan Spy deletes the following files:

  • %ProgramData%\freebl3.dll
  • %ProgramData%\mozglue.dll
  • %ProgramData%\msvcp140.dll
  • %ProgramData%\nss3.dll
  • %ProgramData%\softokn3.dll
  • %ProgramData%\vcruntime140.dll
  • %ProgramData%\msvcp140.dll

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Information Theft

This Trojan Spy gathers the following information on the affected computer:

  • Date and time executed
  • Machine ID
  • GUID
  • HWID
  • Working path
  • Product name
  • Computer name
  • User name
  • Display resolution
  • Display language
  • Keyboard languages
  • Local time
  • Current time zone
  • Operating system information
  • Keyboard layout
  • CPU Count
  • RAM information
  • Processor information
  • Video card information
  • Running processes
  • Installed Software
  • Screenshot
  • Telegram session data
  • Steam metadata
  • Discord tokens
  • Browser data (e.g. cookies, downloads, history, credentials, autofills, credit card data):
    • 360 Browser
    • 7Star
    • Amigo
    • Brave
    • Cent Browser
    • Chedot Browser
    • Chromium
    • CocCoc
    • Comodo Dragon
    • CryptoTab
    • Epic Privacy Browser
    • Google Chrome
    • Microsoft Edge
    • Mozilla Firefox
    • Opera
    • Opera Crypto Stable
    • Opera GX Stable
    • Opera Stable
    • Pale Moon
    • QQBrowser
    • Thunderbird
    • TOR Browser
    • Torch
    • Vivaldi
  • Cryptocurrency Wallet Data:
    • Atomic
    • Binance
    • Binance
    • Bitcoin
    • Blockstream Green
    • Coinomi
    • Daedalus Mainnet
    • Dogecoin
    • ElectronCash
    • Electrum
    • Ethereum
    • Exodus
    • Jaxx Desktop Old
    • Jexx Desktop
    • Monero
    • MultiDoge
    • Raven Core
    • Wasabi Wallet
  • Cryptocurrency Browser Extensions:
    • Auro Wallet
    • Authenticator
    • Authy
    • Binance Chain Wallet
    • Bit App Wallet
    • Bolt X
    • Clover Wallet
    • Coin98
    • Coinbase
    • Cyano Wallet
    • EOS Authenticator
    • EQUAL Wallet
    • EVER Wallet
    • Goby
    • Guarda
    • Guild Wallet
    • Harmony
    • ICONex
    • iWallet
    • Jaxx Liberty
    • Kardia Chain
    • Keplr
    • KHC
    • Ledger Live
    • Liquality Wallet
    • Maiar DeFi Wallet
    • Math Wallet
    • MetaMask
    • MEW CX
    • Nami Wallet
    • Neo Line
    • Nifty Wallet
    • Oxygen (Atomic)
    • Pali Wallet
    • Phantom
    • Polymesh Wallet
    • Rabby
    • Ronin Wallet
    • Solflare
    • Sollet
    • Temple
    • Terra Station
    • TezBox
    • Trezor Password Manager
    • TronLink
    • Voroi
    • Waves Keeper
    • Wombat
    • Xdef Wallet
  • SFTP/FTP Clients (e.g. Host, Port, User, Pass, Recent Servers):
    • WinSCP
    • FileZilla

Other Details

This Trojan Spy does the following:

  • It connects to the following URL to resolve its configuration:
    • https://{BLOCKED}ommunity.com/profiles/76561199472399815
    • https://{BLOCKED}.me/litlebey
    • https://{BLOCKED}.{BLOCKED}.{BLOCKED}.112/get.zip
  • It sends the stolen information to the following IP:
    • https://{BLOCKED}.{BLOCKED}.{BLOCKED}.107
    However, as of this writing the said IP is inaccessible
  • It downloads the following archive in %ProgramData% upon resolving its configuration:
    • get.zip
    which contains the following normal files:
    • freebl3.dll
    • mozglue.dll
    • msvcp140.dll
    • nss3.dll
    • softokn3.dll
    • vcruntime140.dll
    • msvcp140.dll

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

18.274.08

FIRST VSAPI PATTERN DATE:

23 Feb 2023

VSAPI OPR PATTERN File:

18.275.00

VSAPI OPR PATTERN Date:

24 Feb 2023

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Identify and terminate files detected as TrojanSpy.MSIL.VIDAR.LN

[ Learn More ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 4

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %ProgramData%\get.zip
  • %ProgramData%\freebl3.dll
  • %ProgramData%\mozglue.dll
  • %ProgramData%\msvcp140.dll
  • %ProgramData%\nss3.dll
  • %ProgramData%\softokn3.dll
  • %ProgramData%\vcruntime140.dll
  • %ProgramData%\msvcp140.dll

Step 5

Scan your computer with your Trend Micro product to delete files detected as TrojanSpy.MSIL.VIDAR.LN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.