Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Setup.zip

  • Size

    11.7MB

  • Sample

    230504-hjmwqsad75

  • MD5

    fc132bc11e3b04630ccf796597d0afbb

  • SHA1

    5afead39f8807ca8817487c76405362c75ad133e

  • SHA256

    f387a8332e1765f0cd71cb73aad027dea840436e6879cdbd103ee19cc04a1b81

  • SHA512

    575cf4b11fe904a4c45af276400f1b853d444b9df91ee88afb135c6ae81b1a291c029cb8af871285ef9df559ce4ada24612f93f5c5fb065abaddfc4262215e11

  • SSDEEP

    49152:Z0zuzLyZTDGcUiIOy0LzH44VhGUnNvYWgiTgPYC8Fpy9LpjPQgDg3:ZWuzOGRV4LnNvYC0PYCTjPQgy

Malware Config

Extracted

Family

vidar

Version

3.7

Botnet

41259ba39e7d2a1b343e34c89786c56f

C2

https://steamcommunity.com/profiles/76561199501059503

https://t.me/mastersbots

Attributes
  • profile_id_v2

    41259ba39e7d2a1b343e34c89786c56f

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0

Extracted

Family

laplas

C2

http://185.209.161.89

Attributes
  • api_key

    6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Targets

    • Target

      Setup.exe

    • Size

      1024.0MB

    • MD5

      5e379c09784c0b093d430f5438ea881d

    • SHA1

      b73aecf39e5909bc972ca3eabc147c30dbde4caf

    • SHA256

      bfe4a7fd2312bac3c06a31985a1884be39af15aa310c5396bbb4d51a23324499

    • SHA512

      ac28d28e5ec9a5a5b0ff5621fa4213bf4c54ab3937d2efc0abf1ffd71f18ae7ef31b0e15e75168d3f7ba4e3f9aaae2bc868996b5c83e11efe42427a0a648be60

    • SSDEEP

      98304:h77a3TZRRiRRRwRRRRRRR6RURRFRRRRdRRRRRRJRRRRRRRRRRRRRRER7RRRRRRRS:h77BmnfzuL21F5oQegx+U

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Uses the VBS compiler for execution

    • Accesses 2FA software files, possible credential harvesting

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks