Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Loader.rar

  • Size

    1.9MB

  • Sample

    230529-sdaz4acc98

  • MD5

    62a2e8de31c7835c4273eb2c60fe4924

  • SHA1

    22e2f5a99974f9e5b1566245f5f712d2bcef396e

  • SHA256

    52f72f2ef4dd5e569025da115c891438565efa9aaa400f31e3a61313a9ce4243

  • SHA512

    52b84f8c0fdf9d31bb0b371333ff8b4a67faf76e8e42a57c512b6a8951260ab076374ffea7922b92fac0d2bd4bae95ffd1151a0ee1e7310c95ddf086ed31416c

  • SSDEEP

    49152:7D/0DZee/Yor/5YJ2g4NzW1KPD+S0foazh/LfGGVrkNwJJy:7D0H/YoL5YJ2g4NzWMSSaxGGVgNwJJy

Malware Config

Extracted

Family

vidar

Version

4

Botnet

24108ab9b5f23bbf924b5eff629e21b6

C2

https://steamcommunity.com/profiles/76561199508624021

https://t.me/looking_glassbot

Attributes
  • profile_id_v2

    24108ab9b5f23bbf924b5eff629e21b6

  • user_agent

    Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

Targets

    • Target

      Loader.rar

    • Size

      1.9MB

    • MD5

      62a2e8de31c7835c4273eb2c60fe4924

    • SHA1

      22e2f5a99974f9e5b1566245f5f712d2bcef396e

    • SHA256

      52f72f2ef4dd5e569025da115c891438565efa9aaa400f31e3a61313a9ce4243

    • SHA512

      52b84f8c0fdf9d31bb0b371333ff8b4a67faf76e8e42a57c512b6a8951260ab076374ffea7922b92fac0d2bd4bae95ffd1151a0ee1e7310c95ddf086ed31416c

    • SSDEEP

      49152:7D/0DZee/Yor/5YJ2g4NzW1KPD+S0foazh/LfGGVrkNwJJy:7D0H/YoL5YJ2g4NzWMSSaxGGVgNwJJy

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks