Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9e5eb02dd5ddfc26a381313863b1f5d78e72c15b2a78500a83ec024dae202157

  • Size

    5.0MB

  • Sample

    240706-qvxjba1fmg

  • MD5

    865306ffc5542139a3d57219ed1548bc

  • SHA1

    7da9b0e42bd66f36556d3fb2e62db17c061d184f

  • SHA256

    9e5eb02dd5ddfc26a381313863b1f5d78e72c15b2a78500a83ec024dae202157

  • SHA512

    033fca1c0f72348c41d4e062633a6ff04edb5fd6235bf8af831faa30ac956fea775a6ea0a40791c30c6a265d37d86e17226eb0d771a64e4e92c0f72d832464b6

  • SSDEEP

    49152:vL/Johw36b9y1H8tatteWuwRYBRczgpYIugrrwOUGQZjdXd7Eh28gZV0E9yJglZU:vLhUwKy5RKczgy8rCGIm0H6gBvMnK4

Malware Config

Extracted

Family

vidar

C2

https://t.me/bu77un

https://steamcommunity.com/profiles/76561199730044335

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Extracted

Family

lumma

C2

https://civilizzzationo.shop/api

Targets

    • Target

      9e5eb02dd5ddfc26a381313863b1f5d78e72c15b2a78500a83ec024dae202157

    • Size

      5.0MB

    • MD5

      865306ffc5542139a3d57219ed1548bc

    • SHA1

      7da9b0e42bd66f36556d3fb2e62db17c061d184f

    • SHA256

      9e5eb02dd5ddfc26a381313863b1f5d78e72c15b2a78500a83ec024dae202157

    • SHA512

      033fca1c0f72348c41d4e062633a6ff04edb5fd6235bf8af831faa30ac956fea775a6ea0a40791c30c6a265d37d86e17226eb0d771a64e4e92c0f72d832464b6

    • SSDEEP

      49152:vL/Johw36b9y1H8tatteWuwRYBRczgpYIugrrwOUGQZjdXd7Eh28gZV0E9yJglZU:vLhUwKy5RKczgy8rCGIm0H6gBvMnK4

    • Detect Vidar Stealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks