Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    124s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/06/2024, 05:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5f78a68c521e91493c33885370b6d568cfbbd45751f09c055716a6384c751d5.exe

  • Size

    2.4MB

  • MD5

    8cd882e27591698a955d8ca653a5b246

  • SHA1

    7c7bf45a2253024bbb089a2912988fc7ecb0913c

  • SHA256

    c5f78a68c521e91493c33885370b6d568cfbbd45751f09c055716a6384c751d5

  • SHA512

    92d2dbb4f2f0ae96c03f31fe236c2622dfeb18fe25e696454f1dad1d014a8371443a96ca36081e027567c83349f3011541b83315d91c53cab053d8f82dc61bc1

  • SSDEEP

    49152:wQc81KnB/a/hNT/d1Ya8aesY3Ot4N7G/:wDta/hNT/d1n0etD/

Score
10/10
stealcvidardiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain
1
2910114286690104117195131148

Extracted

Family

vidar

C2

https://t.me/ta904ek

https://steamcommunity.com/profiles/76561199695752269
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 8 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5f78a68c521e91493c33885370b6d568cfbbd45751f09c055716a6384c751d5.exe
    "C:\Users\Admin\AppData\Local\Temp\c5f78a68c521e91493c33885370b6d568cfbbd45751f09c055716a6384c751d5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Users\Admin\AppData\Local\Temp\kat6E4A.tmp
      C:\Users\Admin\AppData\Local\Temp\kat6E4A.tmp
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2504

Network

  • flag-us
    DNS
    t.me
    kat6E4A.tmp
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    ctldl.windowsupdate.com
    kat6E4A.tmp
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    92.123.143.240
    a767.dspw65.akamai.net
    IN A
    92.123.140.25
  • flag-us
    DNS
    ocsp.godaddy.com
    kat6E4A.tmp
    Remote address:
    8.8.8.8:53
    Request
    ocsp.godaddy.com
    IN A
    Response
    ocsp.godaddy.com
    IN CNAME
    ocsp.godaddy.com.akadns.net
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.36
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.23
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.22
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.24
    ocsp.godaddy.com.akadns.net
    IN A
    192.124.249.41
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    kat6E4A.tmp
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    kat6E4A.tmp
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-de
    GET
    https://159.69.102.132:5432/
    kat6E4A.tmp
    Remote address:
    159.69.102.132:5432
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 159.69.102.132:5432
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 02 Jun 2024 05:05:22 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    240.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.143.123.92.in-addr.arpa
    IN PTR
    Response
    240.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    132.102.69.159.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    132.102.69.159.in-addr.arpa
    IN PTR
    Response
    132.102.69.159.in-addr.arpa
    IN PTR
    static13210269159clients your-serverde
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.243.30
  • flag-us
    DNS
    36.249.124.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    36.249.124.192.in-addr.arpa
    IN PTR
    Response
    36.249.124.192.in-addr.arpa
    IN PTR
    cloudproxy10036sucurinet
  • flag-us
    DNS
    ctldl.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    bg.microsoft.map.fastly.net
    bg.microsoft.map.fastly.net
    IN A
    199.232.210.172
    bg.microsoft.map.fastly.net
    IN A
    199.232.214.172
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-de
    POST
    https://159.69.102.132:5432/
    kat6E4A.tmp
    Remote address:
    159.69.102.132:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJ
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 159.69.102.132:5432
    Content-Length: 279
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 02 Jun 2024 05:05:23 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://159.69.102.132:5432/
    kat6E4A.tmp
    Remote address:
    159.69.102.132:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----EGCFIDAFBFBAKFHJEGIJ
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 159.69.102.132:5432
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 02 Jun 2024 05:05:23 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://159.69.102.132:5432/
    kat6E4A.tmp
    Remote address:
    159.69.102.132:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----EBGIDGCAFCBKECAAKJJK
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 159.69.102.132:5432
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 02 Jun 2024 05:05:24 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://159.69.102.132:5432/
    kat6E4A.tmp
    Remote address:
    159.69.102.132:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----AAFIIJDAAAAKFHIDAAAK
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 159.69.102.132:5432
    Content-Length: 332
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 02 Jun 2024 05:05:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://159.69.102.132:5432/
    kat6E4A.tmp
    Remote address:
    159.69.102.132:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----EGCFIDAFBFBAKFHJEGIJ
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 159.69.102.132:5432
    Content-Length: 4569
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 02 Jun 2024 05:05:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    GET
    https://159.69.102.132:5432/sqls.dll
    kat6E4A.tmp
    Remote address:
    159.69.102.132:5432
    Request
    GET /sqls.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 159.69.102.132:5432
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 02 Jun 2024 05:05:25 GMT
    Content-Type: application/octet-stream
    Content-Length: 2459136
    Last-Modified: Mon, 27 May 2024 06:44:25 GMT
    Connection: keep-alive
    ETag: "66542bc9-258600"
    Accept-Ranges: bytes
  • flag-de
    POST
    https://159.69.102.132:5432/
    kat6E4A.tmp
    Remote address:
    159.69.102.132:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGD
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 159.69.102.132:5432
    Content-Length: 437
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 02 Jun 2024 05:05:27 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 149.154.167.99:443
    t.me
    tls
    kat6E4A.tmp
    1.6kB
     19.9kB
     25
    21
  • 159.69.102.132:5432
    https://159.69.102.132:5432/
    tls, http
    kat6E4A.tmp
    1.1kB
     2.7kB
     11
    8

    HTTP Request

    GET https://159.69.102.132:5432/

    HTTP Response

    200
  • 159.69.102.132:5432
    https://159.69.102.132:5432/
    tls, http
    kat6E4A.tmp
    1.4kB
     622 B
     9
    6

    HTTP Request

    POST https://159.69.102.132:5432/

    HTTP Response

    200
  • 159.69.102.132:5432
    https://159.69.102.132:5432/
    tls, http
    kat6E4A.tmp
    1.5kB
     2.2kB
     10
    7

    HTTP Request

    POST https://159.69.102.132:5432/

    HTTP Response

    200
  • 159.69.102.132:5432
    https://159.69.102.132:5432/
    tls, http
    kat6E4A.tmp
    1.6kB
     6.3kB
     13
    10

    HTTP Request

    POST https://159.69.102.132:5432/

    HTTP Response

    200
  • 159.69.102.132:5432
    https://159.69.102.132:5432/
    tls, http
    kat6E4A.tmp
    1.4kB
     672 B
     9
    6

    HTTP Request

    POST https://159.69.102.132:5432/

    HTTP Response

    200
  • 159.69.102.132:5432
    https://159.69.102.132:5432/
    tls, http
    kat6E4A.tmp
    5.9kB
     605 B
     13
    7

    HTTP Request

    POST https://159.69.102.132:5432/

    HTTP Response

    200
  • 159.69.102.132:5432
    https://159.69.102.132:5432/sqls.dll
    tls, http
    kat6E4A.tmp
    94.0kB
     2.5MB
     1829
    1826

    HTTP Request

    GET https://159.69.102.132:5432/sqls.dll

    HTTP Response

    200
  • 159.69.102.132:5432
    https://159.69.102.132:5432/
    tls, http
    kat6E4A.tmp
    1.5kB
     528 B
     8
    5

    HTTP Request

    POST https://159.69.102.132:5432/

    HTTP Response

    200
  • 52.111.243.31:443
    322 B
     7
  • 8.8.8.8:53
    t.me
    dns
    kat6E4A.tmp
    328 B
     826 B
     5
    5

    DNS Request

    t.me

    DNS Response

    149.154.167.99

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    92.123.143.240
    92.123.140.25

    DNS Request

    ocsp.godaddy.com

    DNS Response

    192.124.249.36
    192.124.249.23
    192.124.249.22
    192.124.249.24
    192.124.249.41

    DNS Request

    99.167.154.149.in-addr.arpa

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    240.143.123.92.in-addr.arpa
    dns
    222 B
     411 B
     3
    3

    DNS Request

    240.143.123.92.in-addr.arpa

    DNS Request

    132.102.69.159.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.243.30

  • 8.8.8.8:53
    36.249.124.192.in-addr.arpa
    dns
    214 B
     508 B
     3
    3

    DNS Request

    36.249.124.192.in-addr.arpa

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    199.232.210.172
    199.232.214.172

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kat6E4A.tmp
    Filesize

    861KB

    MD5

    66064dbdb70a5eb15ebf3bf65aba254b

    SHA1

    0284fd320f99f62aca800fb1251eff4c31ec4ed7

    SHA256

    6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

    SHA512

    b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

    Download Submit

  • memory/2504-8-0x0000000000400000-0x0000000000649000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2504-4-0x0000000000400000-0x0000000000649000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2504-10-0x0000000000400000-0x0000000000649000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2504-24-0x0000000000400000-0x0000000000649000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2504-25-0x0000000000400000-0x0000000000649000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2504-27-0x000000001DCF0000-0x000000001DF4F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2504-42-0x0000000000400000-0x0000000000649000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2504-43-0x0000000000400000-0x0000000000649000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3928-0-0x00000000023C0000-0x00000000023C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3928-2-0x0000000004140000-0x000000000428C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3928-9-0x0000000000400000-0x0000000000663000-memory.dmp

    Filesize

    2.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.