Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
507s -
max time network
510s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
29/05/2023, 15:00
General
-
Target
Loader.rar
-
Size
1.9MB
-
MD5
62a2e8de31c7835c4273eb2c60fe4924
-
SHA1
22e2f5a99974f9e5b1566245f5f712d2bcef396e
-
SHA256
52f72f2ef4dd5e569025da115c891438565efa9aaa400f31e3a61313a9ce4243
-
SHA512
52b84f8c0fdf9d31bb0b371333ff8b4a67faf76e8e42a57c512b6a8951260ab076374ffea7922b92fac0d2bd4bae95ffd1151a0ee1e7310c95ddf086ed31416c
-
SSDEEP
49152:7D/0DZee/Yor/5YJ2g4NzW1KPD+S0foazh/LfGGVrkNwJJy:7D0H/YoL5YJ2g4NzWMSSaxGGVgNwJJy
Malware Config
Extracted
vidar
4
24108ab9b5f23bbf924b5eff629e21b6
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
-
profile_id_v2
24108ab9b5f23bbf924b5eff629e21b6
-
user_agent
Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 32 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Loader.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Loader.rar"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\New folder\Loader.exe"C:\Users\Admin\Desktop\New folder\Loader.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\67729879851904611441.exe"C:\ProgramData\67729879851904611441.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\67729879851904611441.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD5b7017fd037df00947c023a81758fd409
SHA1f9ee70122cd9240b98ea43456715a222742bd538
SHA2562366aab6e5f60ee5f87247c1bfe5515507cb66415df3e91b6c0649d9db075138
SHA512cc6c239ca13addb5399fd859d010384017bbc28cb8806d9400f31eda7aa280c65a241f8df2188fceca8d7972247c1051b08e0b0f121709700cd4339ac3be9da2
-
Filesize
4.3MB
MD5b7017fd037df00947c023a81758fd409
SHA1f9ee70122cd9240b98ea43456715a222742bd538
SHA2562366aab6e5f60ee5f87247c1bfe5515507cb66415df3e91b6c0649d9db075138
SHA512cc6c239ca13addb5399fd859d010384017bbc28cb8806d9400f31eda7aa280c65a241f8df2188fceca8d7972247c1051b08e0b0f121709700cd4339ac3be9da2
-
Filesize
4.3MB
MD5b7017fd037df00947c023a81758fd409
SHA1f9ee70122cd9240b98ea43456715a222742bd538
SHA2562366aab6e5f60ee5f87247c1bfe5515507cb66415df3e91b6c0649d9db075138
SHA512cc6c239ca13addb5399fd859d010384017bbc28cb8806d9400f31eda7aa280c65a241f8df2188fceca8d7972247c1051b08e0b0f121709700cd4339ac3be9da2
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
28KB
MD5da47faa07294d1802b68fc055d6bd3a8
SHA180646e5c80a233d19c2203e499d4a58ac5508e98
SHA256adc502e8f258d7f78057b1905ba21a1f496f0d677f54ee92ae538b2f2f9a27f3
SHA51205d20a394d6b01d5d26cc8193253469503e53a058717399266fcc72a6dd57f2bbd7fd7aea3fc4517a8370f47cf81ba434b1f7816743deb9ef532e7c337861347
-
Filesize
28KB
MD5da47faa07294d1802b68fc055d6bd3a8
SHA180646e5c80a233d19c2203e499d4a58ac5508e98
SHA256adc502e8f258d7f78057b1905ba21a1f496f0d677f54ee92ae538b2f2f9a27f3
SHA51205d20a394d6b01d5d26cc8193253469503e53a058717399266fcc72a6dd57f2bbd7fd7aea3fc4517a8370f47cf81ba434b1f7816743deb9ef532e7c337861347
-
Filesize
761.7MB
MD5fffcd1704ec7243fc85ac25eeb6a18e4
SHA12e1052027e1ec83f230c031a1ff2ed75d8502e0f
SHA25611cf8d7c2e5bd1e71690e3d9b59a9a7db1343d5c4173df652ec8ba882d82af76
SHA512c129de27300811644d9819776f02199abf4c459741c1050b4464dddffab564a60d5b24585e33450a29ddb40b9d26da1532d504c9231975dd9d45c12c72314a0b
-
Filesize
761.7MB
MD5fffcd1704ec7243fc85ac25eeb6a18e4
SHA12e1052027e1ec83f230c031a1ff2ed75d8502e0f
SHA25611cf8d7c2e5bd1e71690e3d9b59a9a7db1343d5c4173df652ec8ba882d82af76
SHA512c129de27300811644d9819776f02199abf4c459741c1050b4464dddffab564a60d5b24585e33450a29ddb40b9d26da1532d504c9231975dd9d45c12c72314a0b
-
Filesize
220B
MD50899257a400d8dcb5b9df33ed7554875
SHA19117ce47fc86a867ef07d4ec18ea1ff8839df406
SHA256316bb7c0c9ffe478267d5b60d1456e6677a6bf2fd60b38f20c6203a9b2c56e9e
SHA512e6dfce9b4859eaf7fb36bc3b1ebf01d12c8ed90b1a53954bb593aef02db3a10fd7b6a282dd12f18053c0afe61c20c9b9b269d50ff05ae3a5ccb54aed1bd13eb2
-
Filesize
972KB
-
Filesize
436KB
-
Filesize
436KB
-
Filesize
436KB
-
Filesize
436KB
-
Filesize
14.4MB
-
Filesize
14.4MB