Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    336KB

  • Sample

    221228-wdevtsba76

  • MD5

    6dc8116e251405d1a7f69f0c732adec6

  • SHA1

    da0a9831cd4674b70441d259984e67333e786a1c

  • SHA256

    ea12ac3067417f9ecc1f666318e1f063e8ddc74ef6fb83162ba68c1d6819df21

  • SHA512

    8f06175910feb1d9b9a8a091aa554bbef8b7edf203b7eadc841c4b22318eca2b821421b3110b658bf5438dee83e6d829e463b3381327ec66c8a4b31e23e368f3

  • SSDEEP

    6144:HLjUsW95K5nGbMjsqs/pCk9ybVqzE3JgxRmi3tm:HcsW956nQMjsykUbgzEZuki3tm

Malware Config

Extracted

Family

vidar

Version

1.7

Botnet

24

C2

https://t.me/robloxblackl

https://steamcommunity.com/profiles/76561199458928097

Attributes
  • profile_id

    24

Targets

    • Target

      file.exe

    • Size

      336KB

    • MD5

      6dc8116e251405d1a7f69f0c732adec6

    • SHA1

      da0a9831cd4674b70441d259984e67333e786a1c

    • SHA256

      ea12ac3067417f9ecc1f666318e1f063e8ddc74ef6fb83162ba68c1d6819df21

    • SHA512

      8f06175910feb1d9b9a8a091aa554bbef8b7edf203b7eadc841c4b22318eca2b821421b3110b658bf5438dee83e6d829e463b3381327ec66c8a4b31e23e368f3

    • SSDEEP

      6144:HLjUsW95K5nGbMjsqs/pCk9ybVqzE3JgxRmi3tm:HcsW956nQMjsykUbgzEZuki3tm

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks