Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    AnyDesk.zip

  • Size

    5.2MB

  • Sample

    221014-l3s4msaddl

  • MD5

    3d172848ceb6b8464948e97e50655fa7

  • SHA1

    6d402377c5cc98819e8d0e4dbcf511703cccb7d8

  • SHA256

    b308ef119eeb47eccbe6c31004f34f68e1816e8d5f37785568f634f28f1fea78

  • SHA512

    702c0a291d28d9bad0debe1999291d4044ed1db29131044a3862a512f183efc7a0d8112e089508bab46ba54c1347e441b7b5dfe2bd564a4800e5574b3dfa2e66

  • SSDEEP

    98304:6OlsVrxlZxgG19hXMhw1VhTJ97dcVHV3fj8aR2Wz5KDDZKcM:6usVlrFVddcVHNNR2W45bM

Malware Config

Extracted

Family

vidar

Version

55

Botnet

1340

C2

https://t.me/truewallets

https://mas.to/@zara99

http://116.203.10.3:80

Attributes
  • profile_id

    1340

Targets

    • Target

      AnyDesk/AnyDesk.exe

    • Size

      700.0MB

    • MD5

      fd63fa7df8db3392b0200021f20bfea0

    • SHA1

      d1a39db7ed2d9ab3b49a91b94481dd7a4d4cc2aa

    • SHA256

      5861d5cc8e59860c0e0d54a78ee3ae6e0f2c25cbea56aee62443129c546ea033

    • SHA512

      ee4a0d4c5265ed5af24942aefb635596a3de7c961553aa129346d411bbcf1fd3595c75fedaaa8dd5d64f5be984a9cdf25c7564a7c7b0f3d9d169498027cbb385

    • SSDEEP

      98304:3y8sus1dhVMv8tDXvT19ncjZj3djEeZeOdfmZ/vl1:3yTJD7ncjZzBZeOYFl1

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks