Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    222s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 13:24

General

  • Target

    5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe

  • Size

    224KB

  • MD5

    769c8ad3f187882a49cda5d26103730c

  • SHA1

    dae972d44336ffbb28509eabe946e83972166502

  • SHA256

    5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e

  • SHA512

    08a5f80741ea4b0325efe15ad69feb44f4ea1a8ace70f072109f4ec19ad4bc56185aa5f3f734b03906ad3691f9cae43aea3a4ba88e507f97a753e11ca913669c

  • SSDEEP

    3072:Q52Gig7F8wUC1mK2iKkb8YxhX7EQXdeBvR/P4ieqSgvBEn/zcAGqxp6qUDbKSB/:sdF8l9sKqHbYQU/BSg5En/zqq/6qU/

Malware Config

Extracted

Family

vidar

Version

8.5

Botnet

e1d2225c9e4727fe2818a17924d7e065

C2

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes
  • profile_id_v2

    e1d2225c9e4727fe2818a17924d7e065

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

  • Detect Vidar Stealer 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe
    "C:\Users\Admin\AppData\Local\Temp\5230c370cbdb95a2f4a30e70b7ac6a857af81c9498ef473704778fe86e6dbe1e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:1584
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 2212
          3⤵
          • Program crash
          PID:4640
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1584 -ip 1584
      1⤵
        PID:2884

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1584-4-0x0000000000400000-0x0000000000644000-memory.dmp

        Filesize

        2.3MB

      • memory/1584-7-0x0000000000400000-0x0000000000644000-memory.dmp

        Filesize

        2.3MB

      • memory/1584-11-0x0000000000400000-0x0000000000644000-memory.dmp

        Filesize

        2.3MB

      • memory/4760-1-0x0000000074960000-0x0000000075110000-memory.dmp

        Filesize

        7.7MB

      • memory/4760-0-0x00000000003F0000-0x000000000042E000-memory.dmp

        Filesize

        248KB

      • memory/4760-10-0x0000000074960000-0x0000000075110000-memory.dmp

        Filesize

        7.7MB

      • memory/4760-12-0x00000000027D0000-0x00000000047D0000-memory.dmp

        Filesize

        32.0MB

      • memory/4760-16-0x00000000027D0000-0x00000000047D0000-memory.dmp

        Filesize

        32.0MB