Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Installer_...45.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2024, 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer_pswd_12345.rar

  • Size

    23.9MB

  • MD5

    e8f8dfddd6c02017cc81f9d63c8f7ec3

  • SHA1

    bc536f36dbcc2c26b2cc8d00d5ed4a9620136c39

  • SHA256

    7e98e12c73ba2b3cc31c1d6b3b507e434b5a52fd85c9bcf190c684bd706e281a

  • SHA512

    8ae8fa85823744a19e9dcf7c7326abca219e25c95d009e1ae2cb0135f6568c05aa21baf16dad3771cd4d124771f498e2d351d9ba6d168f3b089d809f75ce146d

  • SSDEEP

    393216:w8HVqwk8k0hhbYjMd6Nm2uWpFmKwKpB6pHpuQv7erFJksa93F7nQJ6TdcLjIPN3i:bVc8k0UjxNm0CkBuJuQaJVulcoPhi5MA

Score
10/10
vidar8fc1cae2d848b9f26e1bb4d2655aff86stealer

Malware Config

Extracted

Family

vidar

Version

7.6

Botnet

8fc1cae2d848b9f26e1bb4d2655aff86

C2

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110
Attributes
  • profile_id_v2

    8fc1cae2d848b9f26e1bb4d2655aff86

Signatures

  • Detect Vidar Stealer 6 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Installer_pswd_12345.rar
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Installer_pswd_12345.rar"
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Local\Temp\7zO8BBC2977\Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO8BBC2977\Installer.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
          4⤵
            PID:2220
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 2212
              5⤵
              • Program crash
              PID:4296
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2220 -ip 2220
      1⤵
        PID:2640
      • C:\Users\Admin\Desktop\Installer.exe
        "C:\Users\Admin\Desktop\Installer.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4624
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
          2⤵
            PID:2356
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 2044
              3⤵
              • Program crash
              PID:716
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 976
            2⤵
            • Program crash
            PID:3332
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4624 -ip 4624
          1⤵
            PID:3636
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:4028
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2356 -ip 2356
              1⤵
                PID:3796

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Installer.exe.log
                Filesize

                522B

                MD5

                8334a471a4b492ece225b471b8ad2fc8

                SHA1

                1cb24640f32d23e8f7800bd0511b7b9c3011d992

                SHA256

                5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

                SHA512

                56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zO8BBC2977\Installer.exe
                Filesize

                4.1MB

                MD5

                592979cd96d6fd6e8eb5c1052e17da40

                SHA1

                f8595fe8c43f53fcef96c7d0c7052acd6911c8c6

                SHA256

                4d78e8f9f29a96570957acee0c5504ec9c67b97a04892b72ebb31830155b8a81

                SHA512

                8afcdb9b9ccb6ab7472fc8c900234c575e79a00dfdc22ac499badc7e6b415021ba5e95999ad2c3171fa301cfd27d861ad0a2663d9287d0f1be7ed1db6fb2127f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
                Filesize

                742KB

                MD5

                544cd51a596619b78e9b54b70088307d

                SHA1

                4769ddd2dbc1dc44b758964ed0bd231b85880b65

                SHA256

                dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

                SHA512

                f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

                Download Submit

              • memory/2220-568-0x0000000000400000-0x0000000000643000-memory.dmp

                Filesize

                2.3MB

                Download

              • memory/2220-565-0x0000000000400000-0x0000000000643000-memory.dmp

                Filesize

                2.3MB

                Download

              • memory/2220-563-0x0000000000400000-0x0000000000643000-memory.dmp

                Filesize

                2.3MB

                Download

              • memory/2220-559-0x0000000000400000-0x0000000000643000-memory.dmp

                Filesize

                2.3MB

                Download

              • memory/2356-590-0x0000000000400000-0x0000000000643000-memory.dmp

                Filesize

                2.3MB

                Download

              • memory/4040-26-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4040-23-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4040-24-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4040-22-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4040-25-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4040-27-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4040-15-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4040-16-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4040-17-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4040-21-0x000001A19FFA0000-0x000001A19FFA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4588-552-0x0000000005220000-0x0000000005230000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4588-12-0x0000000074E60000-0x0000000075610000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4588-550-0x0000000005220000-0x0000000005230000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4588-553-0x00000000051D0000-0x00000000051E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4588-554-0x0000000005220000-0x0000000005230000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4588-556-0x0000000005220000-0x0000000005230000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4588-555-0x0000000005220000-0x0000000005230000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4588-557-0x0000000005740000-0x0000000005840000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4588-558-0x0000000005740000-0x0000000005840000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4588-544-0x0000000005330000-0x00000000054C2000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/4588-560-0x0000000005740000-0x0000000005840000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4588-543-0x0000000005220000-0x0000000005230000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4588-564-0x0000000074E60000-0x0000000075610000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4588-28-0x0000000074E60000-0x0000000075610000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4588-14-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

                Filesize

                624KB

                Download

              • memory/4588-551-0x0000000005220000-0x0000000005230000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4588-13-0x0000000000010000-0x0000000000420000-memory.dmp

                Filesize

                4.1MB

                Download

              • memory/4624-574-0x0000000074E60000-0x0000000075610000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4624-575-0x00000000057D0000-0x00000000057E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4624-578-0x00000000057D0000-0x00000000057E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4624-580-0x00000000057D0000-0x00000000057E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4624-579-0x00000000057D0000-0x00000000057E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4624-582-0x00000000057D0000-0x00000000057E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4624-583-0x00000000057D0000-0x00000000057E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4624-586-0x0000000005B60000-0x0000000005C60000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4624-587-0x0000000005B60000-0x0000000005C60000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4624-588-0x0000000005B60000-0x0000000005C60000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4624-589-0x0000000074E60000-0x0000000075610000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4624-572-0x0000000074E60000-0x0000000075610000-memory.dmp

                Filesize

                7.7MB

                Download