Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Reservation information (date, name and etc) (1).rar

  • Size

    75.3MB

  • Sample

    231008-w27krafb3y

  • MD5

    4cd4786a3b615b2c884865ce1db051c4

  • SHA1

    0fb49e1aa32c0bf257425724886a7760c79f763e

  • SHA256

    b6abf8a3d5e865b0968637b92642fbaaf328dad7f7e750284c95c68600e293bf

  • SHA512

    6ef00733e79816a4bfa39dd397250ab9387be64845bc2bc5a3f2c43dc659e5271b56037510331f16f646c647e6bf4eefe4509047b6a9ecbfe85cfb1013729f4f

  • SSDEEP

    1572864:y87OYjPb/eWnmtmDpqKdUbxAzOohf+g9WpoX5j4R5bsWtF4fgabM:y87OM/eeDpnSbx2Odg9CoXt4RD4fgaw

Malware Config

Extracted

Family

vidar

Version

5.9

Botnet

3ea14c104bd4d544fa30377b4df192a6

C2

https://t.me/grizmons

https://steamcommunity.com/profiles/76561199557479327

http://94.228.162.50:80

Attributes
  • profile_id_v2

    3ea14c104bd4d544fa30377b4df192a6

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 OPR/104.0.0.0

Targets

    • Target

      Reservation information (date, name and etc)/Reservation information (date, name and etc).exe

    • Size

      92.9MB

    • MD5

      9809cc75b12ebaa98003f8288978f3b3

    • SHA1

      94a5a71d6548ea8aab5b03f5bc8dcd2c559ed084

    • SHA256

      dd5ed75d01cbe4f1957df72a058656e7b45cb1e2e74efa6eb796fe9a7012a173

    • SHA512

      6421e8cf53d93dcd48529ba7ec34a8b7cdf24d34886bee3828f12385942619e89345b205d0201faffaad60a0dd34dd9cc243230f2c4b9f5ce75bc1cb684125cf

    • SSDEEP

      1572864:Th4QkjGuWsqebzyuGqNMnKuEqHhaPd5nC8DDkeZZZZZsOKa1pVeOKCr7ZPE:l43jRWshbzyuNMnlEqIPrzDkeZZZZZsR

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks