From 8698f9935c12c4a3c0e209ae17ab0bdbe870cc07 Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Tue, 2 Jun 2026 10:59:02 +0100
Subject: [PATCH] Vidar: update detection yara

---
 data/yara/CAPE/Vidar.yar | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/data/yara/CAPE/Vidar.yar b/data/yara/CAPE/Vidar.yar
index 3e58ac0e814..b7ac19baaa7 100644
--- a/data/yara/CAPE/Vidar.yar
+++ b/data/yara/CAPE/Vidar.yar
@@ -1,9 +1,22 @@
 rule Vidar
 {
     meta:
-        author = "kevoreilly,rony"
+        author = "kevoreilly"
         description = "Vidar Payload"
         cape_type = "Vidar Payload"
+        packed = "96ab9c389a6a53c54a3ea05d139aaf2d775e8db06f37d027f696828dcc55e2bb"
+    strings:
+        $code = {4D 85 C0 75 0? [0-16] (41|45) 88 ?? [0-20] (41|45) 38 (08|10) 74 ?? [0-16] (48|4C) 63 [0-16] 4? 3B ?? 73}
+    condition:
+        uint16(0) == 0x5A4D and all of them
+}
+
+rule VidarOld
+{
+    meta:
+        author = "kevoreilly,rony"
+        description = "Vidar Payload (Old)"
+        cape_type = "Vidar Payload"
         packed = "0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8"
     strings:
         $decode = {FF 75 0C 8D 34 1F FF 15 ?? ?? ?? ?? 8B C8 33 D2 8B C7 F7 F1 8B 45 0C 8B 4D 08 8A 04 02 32 04 31 47 88 06 3B 7D 10 72 D8}