Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2024, 04:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe

  • Size

    2.9MB

  • MD5

    0106c47448dd2470e5d3d2550e94a560

  • SHA1

    06e62d065bac64d68e44742adbdf45067b950648

  • SHA256

    1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a

  • SHA512

    75a342fa44fa3ccabe80c499f4357b82dec2b31a49fb7f6a982a0880ba6045237b0c7a0ab761478eaca2c26ec35d2d322139bc104e8c1ef3b89f7b37d54bed97

  • SSDEEP

    49152:rtpSxptE1AKnCVMS4cdR/z4+UVi4e9Crn:r/4nE1dCqKxx4e9Cb

Score
10/10
stealcvidardiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain
1
2910114286690104117195131148

Extracted

Family

vidar

C2

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 8 IoCs
    stealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe
    "C:\Users\Admin\AppData\Local\Temp\1e057497f0ea743c71538d4e08bff3e469e0bc7467617245841375587f4d4a2a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\kat3F1C.tmp
      C:\Users\Admin\AppData\Local\Temp\kat3F1C.tmp
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      PID:1972

Network

  • flag-us
    DNS
    t.me
    kat3F1C.tmp
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/r8z0l
    kat3F1C.tmp
    Remote address:
    149.154.167.99:443
    Request
    GET /r8z0l HTTP/1.1
    Host: t.me
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Fri, 07 Jun 2024 04:37:56 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12304
    Connection: keep-alive
    Set-Cookie: stel_ssid=1b803a2df8626341ba_13987216217381629792; expires=Sat, 08 Jun 2024 04:37:56 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-de
    GET
    https://116.202.190.18:5432/
    kat3F1C.tmp
    Remote address:
    116.202.190.18:5432
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 07 Jun 2024 04:37:57 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.190.202.116.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.190.202.116.in-addr.arpa
    IN PTR
    Response
    18.190.202.116.in-addr.arpa
    IN PTR
    static18190202116clients your-serverde
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat3F1C.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBF
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 279
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 07 Jun 2024 04:37:57 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat3F1C.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----GDHIEHJEBAAFIDHJEBGI
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 07 Jun 2024 04:37:58 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat3F1C.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFI
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 07 Jun 2024 04:37:58 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat3F1C.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----EGIJKEHCAKFCAKFHDAAA
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 332
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 07 Jun 2024 04:37:59 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat3F1C.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----HDBGDHDAECBGDHJKFIDG
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 4709
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 07 Jun 2024 04:37:59 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    GET
    https://116.202.190.18:5432/sqls.dll
    kat3F1C.tmp
    Remote address:
    116.202.190.18:5432
    Request
    GET /sqls.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 07 Jun 2024 04:37:59 GMT
    Content-Type: application/octet-stream
    Content-Length: 2459136
    Last-Modified: Sun, 02 Jun 2024 19:44:54 GMT
    Connection: keep-alive
    ETag: "665ccbb6-258600"
    Accept-Ranges: bytes
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat3F1C.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----EBGIEGCFHCFHIDHIJECA
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 437
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 07 Jun 2024 04:38:00 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 149.154.167.99:443
    https://t.me/r8z0l
    tls, http
    kat3F1C.tmp
    1.5kB
     19.4kB
     24
    20

    HTTP Request

    GET https://t.me/r8z0l

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat3F1C.tmp
    966 B
     2.7kB
     11
    8

    HTTP Request

    GET https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat3F1C.tmp
    1.4kB
     622 B
     9
    6

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat3F1C.tmp
    1.5kB
     2.2kB
     10
    7

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat3F1C.tmp
    1.6kB
     6.3kB
     13
    10

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat3F1C.tmp
    1.4kB
     672 B
     9
    6

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat3F1C.tmp
    6.0kB
     605 B
     13
    7

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/sqls.dll
    tls, http
    kat3F1C.tmp
    98.0kB
     2.5MB
     1830
    1827

    HTTP Request

    GET https://116.202.190.18:5432/sqls.dll

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat3F1C.tmp
    1.5kB
     528 B
     8
    5

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 8.8.8.8:53
    t.me
    dns
    kat3F1C.tmp
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    99.167.154.149.in-addr.arpa
    dns
    73 B
     166 B
     1
    1

    DNS Request

    99.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    18.190.202.116.in-addr.arpa
    dns
    73 B
     131 B
     1
    1

    DNS Request

    18.190.202.116.in-addr.arpa

  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kat3F1C.tmp
    Filesize

    861KB

    MD5

    66064dbdb70a5eb15ebf3bf65aba254b

    SHA1

    0284fd320f99f62aca800fb1251eff4c31ec4ed7

    SHA256

    6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

    SHA512

    b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

    Download Submit

  • memory/1972-9-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1972-10-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1972-4-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1972-13-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1972-14-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1972-16-0x000000001B820000-0x000000001BA7F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1972-31-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1972-33-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3996-0-0x0000000002330000-0x0000000002331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3996-1-0x0000000002AE0000-0x0000000002C46000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3996-6-0x0000000000400000-0x00000000006EF000-memory.dmp

    Filesize

    2.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.