Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

22856a6c83...de.exe

windows7-x64

10

22856a6c83...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 15:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe

  • Size

    2.6MB

  • MD5

    8a24042598b0c07c593a6f728379ed12

  • SHA1

    cfc334ef264e339084f5f9a425a1d8e3c7af98a8

  • SHA256

    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de

  • SHA512

    61cd3180261e538879e2c8eed8012107ad357e52fdd453c0038701228ce6b7e770a90ca1c941d3e1e05720eed881ebdeeae5d50e7ef48492aa265e0b60ef2484

  • SSDEEP

    49152:VTCVHed6FUSPFMiy7J7Sy2/tTuUhnKLvO+MpfCGl9xh6Z:UUdCNPuhl7y/tlnKa+wfCGrw

Score
10/10
vidara2fafb95617b0c4575ae879e558a67a9stealer

Malware Config

Extracted

Family

vidar

Version

8

Botnet

a2fafb95617b0c4575ae879e558a67a9

C2

https://t.me/neoschats

https://steamcommunity.com/profiles/76561199644883218
Attributes
  • profile_id_v2

    a2fafb95617b0c4575ae879e558a67a9

  • user_agent

    Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78

Signatures

  • Detect Vidar Stealer 1 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    "C:\Users\Admin\AppData\Local\Temp\22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1404
      2⤵
      • Program crash
      PID:1976

Network

  • flag-us
    DNS
    t.me
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    steamcommunity.com
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    23.214.154.77
  • flag-gb
    GET
    https://steamcommunity.com/profiles/76561199644883218
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    Remote address:
    23.214.154.77:443
    Request
    GET /profiles/76561199644883218 HTTP/1.1
    Host: steamcommunity.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Tue, 05 Mar 2024 15:24:27 GMT
    Content-Length: 33860
    Connection: keep-alive
    Set-Cookie: sessionid=7c43578570177ef9f76e3b21; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C40c16361ca649cf81f15d6fdb49b4f01; Path=/; Secure; HttpOnly; SameSite=None
  • flag-fi
    GET
    https://65.109.11.145/
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    Remote address:
    65.109.11.145:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78
    Host: 65.109.11.145
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 05 Mar 2024 15:24:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-fi
    POST
    https://65.109.11.145/
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    Remote address:
    65.109.11.145:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----FBFCGIDAKECGCBGDBAFI
    User-Agent: Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78
    Host: 65.109.11.145
    Content-Length: 279
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 05 Mar 2024 15:24:32 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-fi
    POST
    https://65.109.11.145/
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    Remote address:
    65.109.11.145:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----CBAKJEHDBGHIEBGCGDGH
    User-Agent: Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78
    Host: 65.109.11.145
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 05 Mar 2024 15:24:33 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-fi
    POST
    https://65.109.11.145/
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    Remote address:
    65.109.11.145:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----AFCFHDHIIIECBGCAKFIJ
    User-Agent: Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78
    Host: 65.109.11.145
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 05 Mar 2024 15:24:34 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 149.154.167.99:443
    t.me
    tls
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    385 B
     219 B
     5
    5
  • 149.154.167.99:443
    t.me
    tls
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    347 B
     219 B
     5
    5
  • 149.154.167.99:443
    t.me
    tls
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    288 B
     219 B
     5
    5
  • 149.154.167.99:443
    t.me
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    190 B
     92 B
     4
    2
  • 23.214.154.77:443
    https://steamcommunity.com/profiles/76561199644883218
    tls, http
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    1.8kB
     42.6kB
     25
    37

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199644883218

    HTTP Response

    200
  • 65.109.11.145:443
    https://65.109.11.145/
    tls, http
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    1.6kB
     2.2kB
     12
    9

    HTTP Request

    GET https://65.109.11.145/

    HTTP Response

    200
  • 65.109.11.145:443
    https://65.109.11.145/
    tls, http
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    1.4kB
     967 B
     9
    8

    HTTP Request

    POST https://65.109.11.145/

    HTTP Response

    200
  • 65.109.11.145:443
    https://65.109.11.145/
    tls, http
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    2.1kB
     1.1kB
     9
    9

    HTTP Request

    POST https://65.109.11.145/

    HTTP Response

    200
  • 65.109.11.145:443
    https://65.109.11.145/
    tls, http
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    1.4kB
     819 B
     8
    8

    HTTP Request

    POST https://65.109.11.145/

    HTTP Response

    200
  • 8.8.8.8:53
    t.me
    dns
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    steamcommunity.com
    dns
    22856a6c833d238fca56eabc3398b1118a2893f0995448ca69c19a40d07f50de.exe
    64 B
     80 B
     1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    23.214.154.77

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d7b77b8c15e3a2d33092916dfbe88daf

    SHA1

    9c7faaccdb9d5949854a96a06e3947e1dbcaa0d3

    SHA256

    7d103b55faf29b936c8328c774771bf5b864f3c80fd171aa14e6526bd49f7c2d

    SHA512

    a2692234fee4c9730c6b38b4cdc5520b400b8144e44951ff3bf4d67127ede2ef4072cab9610a820602a4c7a6fa5a6acec6966dec95dc24a425a316020447cffa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarB17B.tmp
    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    Download Submit

  • memory/1440-0-0x00000000013A0000-0x0000000001A0F000-memory.dmp

    Filesize

    6.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.