Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    bank_statement.scr.exe

  • Size

    37.0MB

  • Sample

    230606-vmd48afc6x

  • MD5

    61e6735126b6504424d090ac796f8a49

  • SHA1

    7e8838d573b193beedfa12ff74e1e4933944587a

  • SHA256

    c8e45719240f875784086abcc66cdbf68a102c1d3d5edabb0c7da44516621e51

  • SHA512

    b24367cca3405aed1f55517242b4680d94cc149ba8bc112af5eb37ba2c86e873a11b7ee117138a0ffc1597e6e175d2d1f9db0c79188cb9cbc5d2cfb5edf3ed9c

  • SSDEEP

    393216:NS3GX6iThaMcP5L56QHbe/klf3FWpis6n93CnVspY9rw20amy/dtzEvQ4iD6t+t2:a3iTkFVBn9Tpkw3dUzMri2ty7I9

Malware Config

Extracted

Family

vidar

Version

4.2

Botnet

655d9e590e95375f4ab0b3055662ab2e

C2

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes
  • profile_id_v2

    655d9e590e95375f4ab0b3055662ab2e

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Targets

    • Target

      bank_statement.scr.exe

    • Size

      37.0MB

    • MD5

      61e6735126b6504424d090ac796f8a49

    • SHA1

      7e8838d573b193beedfa12ff74e1e4933944587a

    • SHA256

      c8e45719240f875784086abcc66cdbf68a102c1d3d5edabb0c7da44516621e51

    • SHA512

      b24367cca3405aed1f55517242b4680d94cc149ba8bc112af5eb37ba2c86e873a11b7ee117138a0ffc1597e6e175d2d1f9db0c79188cb9cbc5d2cfb5edf3ed9c

    • SSDEEP

      393216:NS3GX6iThaMcP5L56QHbe/klf3FWpis6n93CnVspY9rw20amy/dtzEvQ4iD6t+t2:a3iTkFVBn9Tpkw3dUzMri2ty7I9

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks