Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • submitted
    11/09/2022, 06:47 UTC

General

  • Target

    d311d95c1cbae9b5a21e2c52995a2ae6.exe

  • Size

    375KB

  • MD5

    d311d95c1cbae9b5a21e2c52995a2ae6

  • SHA1

    e6334f2bd1a4fc2926acff2888abb6835605ce70

  • SHA256

    33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362

  • SHA512

    abe975a92068a9a77f9e0bff43bc12d66f330e2ae92edc45abc1367168c61477cf6fcba1368e20467576f473aca7d09ad14c97d3417b557f26fb79221a4bcf24

  • SSDEEP

    6144:HhtAlyCzt2Lmi0WCQD4erl+IPNqh/cDluYEBKTm46X0V77AoHuASdOX:HhtAPMmi0WCqvrl+IlNl/EkTmfEVdsOX

Score
10/10

Malware Config

Extracted

Family

vidar

Version

54.2

Botnet

1438

C2

https://t.me/tigogames

https://ioc.exchange/@tiagoa26

Attributes
  • profile_id

    1438

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d311d95c1cbae9b5a21e2c52995a2ae6.exe
    "C:\Users\Admin\AppData\Local\Temp\d311d95c1cbae9b5a21e2c52995a2ae6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:832

    Network

    • flag-us
      DNS
      t.me
      AppLaunch.exe
      Remote address:
      8.8.8.8:53
      Request
      t.me
      IN A
      Response
      t.me
      IN A
      149.154.167.99
    • flag-us
      DNS
      ioc.exchange
      AppLaunch.exe
      Remote address:
      8.8.8.8:53
      Request
      ioc.exchange
      IN A
      Response
      ioc.exchange
      IN A
      45.79.113.18
    • flag-us
      DNS
      ioc.exchange
      AppLaunch.exe
      Remote address:
      8.8.8.8:53
      Request
      ioc.exchange
      IN A
      Response
      ioc.exchange
      IN A
      45.79.113.18
    • flag-us
      GET
      https://ioc.exchange/@tiagoa26
      AppLaunch.exe
      Remote address:
      45.79.113.18:443
      Request
      GET /@tiagoa26 HTTP/1.1
      Host: ioc.exchange
      Response
      HTTP/1.1 403 Forbidden
      Date: Sun, 11 Sep 2022 06:47:17 GMT
      Content-Type: text/html; charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      Server: Mastodon
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 0
      Permissions-Policy: interest-cohort=()
      Cache-Control: max-age=180, public
      Vary: Accept-Encoding, Origin
      Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://ioc.exchange; img-src 'self' https: data: blob: https://ioc.exchange; style-src 'self' https://ioc.exchange 'nonce-8gqSD2F83Vb0xKH1NjPMhQ=='; media-src 'self' https: data: https://ioc.exchange; frame-src 'self' https:; manifest-src 'self' https://ioc.exchange; connect-src 'self' data: blob: https://ioc.exchange https://files.ioc.exchange wss://ioc.exchange; script-src 'self' https://ioc.exchange; child-src 'self' blob: https://ioc.exchange; worker-src 'self' blob: https://ioc.exchange
      Set-Cookie: _mastodon_session=jFUQzjRlkNqBkEJZt3gR6jzp8EP47KegAYv4%2FTTv6tTqBBUCYEZMxb%2Bg9LeqObTUiut10y8zjm4eH%2Ft0Ju337rM1KDrfd5xUoiP8qFtW%2BMXz5Fd%2BTQYhhFgGuHYq4Z6tJiQ01cFKt7n2I8TrQ3almfjuq0tq3OeKD1zNOAW52KOOHD91jXvAADjj9FMztJw%2FNplHE3FouOMASC9In5w5XRo5PBSCM81HG4MPOPw%2FGiaV--n83Zgxr304%2BYYamn--mioCaAhHDxzkRt4HVEBhQQ%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
      X-Request-Id: f3e7c538-3a35-4997-8a51-b3fab3376d44
      X-Runtime: 0.017405
      Strict-Transport-Security: max-age=63072000; includeSubDomains
    • flag-us
      DNS
      apps.identrust.com
      AppLaunch.exe
      Remote address:
      8.8.8.8:53
      Request
      apps.identrust.com
      IN A
      Response
      apps.identrust.com
      IN CNAME
      identrust.edgesuite.net
      identrust.edgesuite.net
      IN CNAME
      a1952.dscq.akamai.net
      a1952.dscq.akamai.net
      IN A
      96.16.53.134
      a1952.dscq.akamai.net
      IN A
      96.16.53.139
    • flag-nl
      GET
      http://apps.identrust.com/roots/dstrootcax3.p7c
      AppLaunch.exe
      Remote address:
      96.16.53.134:80
      Request
      GET /roots/dstrootcax3.p7c HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: apps.identrust.com
      Response
      HTTP/1.1 200 OK
      X-XSS-Protection: 1; mode=block
      Strict-Transport-Security: max-age=15768000
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Content-Security-Policy: default-src 'self' *.identrust.com
      Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
      ETag: "37d-5e1e6e25c9800"
      Accept-Ranges: bytes
      Content-Length: 893
      X-Content-Type-Options: nosniff
      X-Frame-Options: sameorigin
      Content-Type: application/pkcs7-mime
      Cache-Control: max-age=3600
      Expires: Sun, 11 Sep 2022 07:47:16 GMT
      Date: Sun, 11 Sep 2022 06:47:16 GMT
      Connection: keep-alive
    • flag-us
      GET
      https://ioc.exchange/@tiagoa26
      AppLaunch.exe
      Remote address:
      45.79.113.18:443
      Request
      GET /@tiagoa26 HTTP/1.1
      Host: ioc.exchange
      Cookie: _mastodon_session=jFUQzjRlkNqBkEJZt3gR6jzp8EP47KegAYv4%2FTTv6tTqBBUCYEZMxb%2Bg9LeqObTUiut10y8zjm4eH%2Ft0Ju337rM1KDrfd5xUoiP8qFtW%2BMXz5Fd%2BTQYhhFgGuHYq4Z6tJiQ01cFKt7n2I8TrQ3almfjuq0tq3OeKD1zNOAW52KOOHD91jXvAADjj9FMztJw%2FNplHE3FouOMASC9In5w5XRo5PBSCM81HG4MPOPw%2FGiaV--n83Zgxr304%2BYYamn--mioCaAhHDxzkRt4HVEBhQQ%3D%3D
      Response
      HTTP/1.1 403 Forbidden
      Date: Sun, 11 Sep 2022 06:49:18 GMT
      Content-Type: text/html; charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      Server: Mastodon
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 0
      Permissions-Policy: interest-cohort=()
      Cache-Control: max-age=180, public
      Vary: Accept-Encoding, Origin
      Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://ioc.exchange; img-src 'self' https: data: blob: https://ioc.exchange; style-src 'self' https://ioc.exchange 'nonce-0EUEagqiKTh4UwIOeD2TQQ=='; media-src 'self' https: data: https://ioc.exchange; frame-src 'self' https:; manifest-src 'self' https://ioc.exchange; connect-src 'self' data: blob: https://ioc.exchange https://files.ioc.exchange wss://ioc.exchange; script-src 'self' https://ioc.exchange; child-src 'self' blob: https://ioc.exchange; worker-src 'self' blob: https://ioc.exchange
      Set-Cookie: _mastodon_session=1ARKwSnmt90Wsy8LrX2PQu7t3gV9%2FojPRctrBXd9lgIiHEJV%2B30TvqA83%2FKodtDKeijmhTpxbCzBHzIjMx6nM8TbSTi8ZAc7J0NgXmkaMlk11tQzyRU%2FNZJqC187DfzcvhOGWhXXesRSADyU%2B9vgXaXPtrbD2z75CPJkyd4%2F5GYx0SWIUjMsYoKCikuH443UvmmaeM5GHPm%2F3XDmtjLyLUbAWOPGNuvDRc92D2fTw%2FVc--D6kbwhidbVl2aEuk--vQRYhSqMCGA0VpeLmgZf1A%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
      X-Request-Id: 09c95e90-352c-48b6-8eb7-f07c685525c2
      X-Runtime: 0.014338
      Strict-Transport-Security: max-age=63072000; includeSubDomains
    • 149.154.167.99:443
      t.me
      tls
      AppLaunch.exe
      385 B
      219 B
      5
      5
    • 149.154.167.99:443
      t.me
      tls
      AppLaunch.exe
      347 B
      219 B
      5
      5
    • 149.154.167.99:443
      t.me
      tls
      AppLaunch.exe
      288 B
      219 B
      5
      5
    • 149.154.167.99:443
      t.me
      AppLaunch.exe
      190 B
      92 B
      4
      2
    • 45.79.113.18:443
      https://ioc.exchange/@tiagoa26
      tls, http
      AppLaunch.exe
      924 B
      8.0kB
      11
      15

      HTTP Request

      GET https://ioc.exchange/@tiagoa26

      HTTP Response

      403
    • 96.16.53.134:80
      http://apps.identrust.com/roots/dstrootcax3.p7c
      http
      AppLaunch.exe
      369 B
      1.6kB
      5
      4

      HTTP Request

      GET http://apps.identrust.com/roots/dstrootcax3.p7c

      HTTP Response

      200
    • 149.154.167.99:443
      t.me
      tls
      AppLaunch.exe
      385 B
      219 B
      5
      5
    • 149.154.167.99:443
      t.me
      tls
      AppLaunch.exe
      347 B
      219 B
      5
      5
    • 149.154.167.99:443
      t.me
      tls
      AppLaunch.exe
      288 B
      219 B
      5
      5
    • 149.154.167.99:443
      t.me
      AppLaunch.exe
      190 B
      92 B
      4
      2
    • 45.79.113.18:443
      https://ioc.exchange/@tiagoa26
      tls, http
      AppLaunch.exe
      1.0kB
      3.3kB
      7
      9

      HTTP Request

      GET https://ioc.exchange/@tiagoa26

      HTTP Response

      403
    • 8.8.8.8:53
      t.me
      dns
      AppLaunch.exe
      50 B
      66 B
      1
      1

      DNS Request

      t.me

      DNS Response

      149.154.167.99

    • 8.8.8.8:53
      ioc.exchange
      dns
      AppLaunch.exe
      116 B
      148 B
      2
      2

      DNS Request

      ioc.exchange

      DNS Request

      ioc.exchange

      DNS Response

      45.79.113.18

      DNS Response

      45.79.113.18

    • 8.8.8.8:53
      apps.identrust.com
      dns
      AppLaunch.exe
      64 B
      165 B
      1
      1

      DNS Request

      apps.identrust.com

      DNS Response

      96.16.53.134
      96.16.53.139

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/832-54-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/832-56-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/832-63-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/832-64-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

      Filesize

      8KB

    • memory/832-65-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.