Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b95bfc4e7ce7a1d15332d4cd6c350ca800f437dbfe903c0c47cf01afb09b137c

  • Size

    1.4MB

  • Sample

    221026-n6m3xafed4

  • MD5

    c6688ae7a75cc1f8e8969205542a198c

  • SHA1

    25c8a2fdfcbb38f2b47a445a1e0bbfa730d7c038

  • SHA256

    b95bfc4e7ce7a1d15332d4cd6c350ca800f437dbfe903c0c47cf01afb09b137c

  • SHA512

    7c70f40c2fe099d414f9e70f0c3e304da601ccc39288dae13f33937ce2e8c239e1e2711bdfd57aa07aa6d39f4dd86c2355307b164c5a34d1d93d7b8b5b56dcb4

  • SSDEEP

    24576:incstcaeq+8myRyQuboSPUOqweufzdElLVNEXNqEJPaDldCVEuK/atCWM:AtSq+8myAQuboSPCwRLK+XgQCXtry/M

Malware Config

Extracted

Family

vidar

Version

55.2

Botnet

1754

C2

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes
  • profile_id

    1754

Targets

    • Target

      b95bfc4e7ce7a1d15332d4cd6c350ca800f437dbfe903c0c47cf01afb09b137c

    • Size

      1.4MB

    • MD5

      c6688ae7a75cc1f8e8969205542a198c

    • SHA1

      25c8a2fdfcbb38f2b47a445a1e0bbfa730d7c038

    • SHA256

      b95bfc4e7ce7a1d15332d4cd6c350ca800f437dbfe903c0c47cf01afb09b137c

    • SHA512

      7c70f40c2fe099d414f9e70f0c3e304da601ccc39288dae13f33937ce2e8c239e1e2711bdfd57aa07aa6d39f4dd86c2355307b164c5a34d1d93d7b8b5b56dcb4

    • SSDEEP

      24576:incstcaeq+8myRyQuboSPUOqweufzdElLVNEXNqEJPaDldCVEuK/atCWM:AtSq+8myAQuboSPCwRLK+XgQCXtry/M

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks