Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2c644cced4c0cdfbf5b1ca12834645519feb0f82f4256c514513ede43ff75712

  • Size

    2.2MB

  • Sample

    240703-3ft6vs1hkk

  • MD5

    11f3e4676a5090fed6d34d1853faaa5a

  • SHA1

    2ed2179842150ce1f56df26313364ae5def16fa8

  • SHA256

    2c644cced4c0cdfbf5b1ca12834645519feb0f82f4256c514513ede43ff75712

  • SHA512

    2cec10346194f563df363cdb1f92c3ebccfd9bd12fe19408fc3c39d41ff074c165ced244ac6afa7778dcc476dab7cd140d1a81e07d7fb877b5c6a2b69d24fc17

  • SSDEEP

    24576:tS3YnKk3guxNWbmbbKBBdQlNtZYzMPkYHXANYksiZArxliP4OTomFu5Xxth9:c3YKMFT8W5aYRi2lpYu5XxZ

Malware Config

Extracted

Family

vidar

C2

https://t.me/bu77un

https://steamcommunity.com/profiles/76561199730044335

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Targets

    • Target

      2c644cced4c0cdfbf5b1ca12834645519feb0f82f4256c514513ede43ff75712

    • Size

      2.2MB

    • MD5

      11f3e4676a5090fed6d34d1853faaa5a

    • SHA1

      2ed2179842150ce1f56df26313364ae5def16fa8

    • SHA256

      2c644cced4c0cdfbf5b1ca12834645519feb0f82f4256c514513ede43ff75712

    • SHA512

      2cec10346194f563df363cdb1f92c3ebccfd9bd12fe19408fc3c39d41ff074c165ced244ac6afa7778dcc476dab7cd140d1a81e07d7fb877b5c6a2b69d24fc17

    • SSDEEP

      24576:tS3YnKk3guxNWbmbbKBBdQlNtZYzMPkYHXANYksiZArxliP4OTomFu5Xxth9:c3YKMFT8W5aYRi2lpYu5XxZ

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks