Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 23:18
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240708-en
General
-
Target
Setup.exe
-
Size
2.0MB
-
MD5
e3d5b216c73c93fa570be1776d81da90
-
SHA1
dc66ddc93ed23831977a6dcf08a7b27786e0d169
-
SHA256
b27f2ffda5054c513a5f0dc3bbdc067c78a82f2be201334703f1b45e477cd067
-
SHA512
45a1d097a9e3f164c8b503f4aee0d3afcb747a57f0058c6f0f243f01739a7ecb5636095a72b04a38c0dd6cb0c3f8c12ccafdfd0051dc81f99911f657f9236669
-
SSDEEP
49152:KDjlabwz9ZDjlabwz9F62WMAQaPXvvvELJ8LPel0Pk:6qwvqwhBAh/vvYJ4PLM
Malware Config
Extracted
vidar
https://t.me/bu77un
https://steamcommunity.com/profiles/76561199730044335
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1
Signatures
-
Detect Vidar Stealer 1 IoCs
resource yara_rule behavioral2/memory/3216-64-0x0000000000470000-0x0000000000A1D000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation pikola.exe -
Executes dropped EXE 2 IoCs
pid Process 4644 pikola.exe 3216 rgawth.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 43 bitbucket.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3216 rgawth.exe 3216 rgawth.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rgawth.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rgawth.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3216 rgawth.exe 3216 rgawth.exe 3216 rgawth.exe 3216 rgawth.exe 3216 rgawth.exe 3216 rgawth.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3216 rgawth.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3128 wrote to memory of 4612 3128 Setup.exe 82 PID 3128 wrote to memory of 4612 3128 Setup.exe 82 PID 4612 wrote to memory of 4644 4612 cmd.exe 86 PID 4612 wrote to memory of 4644 4612 cmd.exe 86 PID 4644 wrote to memory of 3216 4644 pikola.exe 88 PID 4644 wrote to memory of 3216 4644 pikola.exe 88 PID 4644 wrote to memory of 3216 4644 pikola.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pikola.exepikola.exe -ppivore3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\rgawth.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\rgawth.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3216
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36B
MD557763e1c0b9a681adcbeabb751ef4ca5
SHA10173fdd3469f7e580719bf69e6f62f9616a36b06
SHA25625135d26bc14f31825318db6d3f68e2abf826a6a76ac4d3647291045e6198610
SHA5127dd34652b07235e31aa13beef7292da56851007a051d805ff9f378d998d3d5fe489fedc93cac28a3d242f6416c2026d3bcdd6d257963ab65a64edd30ebb87260
-
Filesize
1.6MB
MD5ad70fa49c2c2231a2675f50ec84839a4
SHA1bf06da874316e2d3a94f645736b985b6c4826325
SHA2565e18f14a182675b8353f0b85c4aa003ea02e9f737274a55795c01a08d5d738e6
SHA5126ea0c9935e67656ab86240030cef2a538fb3b719264bd75ab364b3b828ab0c46022019af62661e85d278a3b8af789b1da22641c99e45ea011fa2e8bbe6118186
-
Filesize
1.1MB
MD55bd956880091b64c30ecc00ba5b61ebd
SHA119efa2cc8399c6add9f0a30e1fb51535623e50a6
SHA25604bd08936aaeb8ccef9552f8050c7f10f30690a4929bf10cb343b6cde614f5ca
SHA512231d2bffb276b37a9660d6499cce85565b1a5891cec163a1959fa25970a0629ca3de02bf290ee4f9e28c2e503e5df2d5aaf9fa180c661403e8e7991f21df407c