Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886

  • Size

    727KB

  • Sample

    211016-anerxscddj

  • MD5

    f910255f4ace1b36d8ae4e4529da6754

  • SHA1

    650f4289e43c451095a9946c9391594e263c0fd5

  • SHA256

    fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886

  • SHA512

    241a45ac29b430aa67c85591258022c5b00b6bb55247f51f7ffcb73be1276cf4bc8f4649ba668b6885cbbbfee8609fda788b63b1169c86200d633ff70451b6e5

Score
10/10
servhelpervidarxmrig1008agilenetbackdoordiscoveryminerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

vidar

Version

41.4

Botnet

1008

C2

https://mas.to/@sslam

Attributes
  • profile_id

    1008

Targets

    • Target

      fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886

    • Size

      727KB

    • MD5

      f910255f4ace1b36d8ae4e4529da6754

    • SHA1

      650f4289e43c451095a9946c9391594e263c0fd5

    • SHA256

      fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886

    • SHA512

      241a45ac29b430aa67c85591258022c5b00b6bb55247f51f7ffcb73be1276cf4bc8f4649ba668b6885cbbbfee8609fda788b63b1169c86200d633ff70451b6e5

    Score
    10/10
    servhelpervidarxmrig1008agilenetbackdoordiscoveryminerpersistencespywarestealersuricatatrojan

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

      trojanbackdoorservhelper

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies RDP port number used by Windows

    • Sets DLL path for service in the registry

      persistence

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.