Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    8f8a2176880d870914390bb2b62a538a0491ae0fc353b3b845acec0dd3751794

  • Size

    826KB

  • Sample

    240720-fyspes1fmb

  • MD5

    5f661bce27073f4b496277cbc2fa246d

  • SHA1

    c8bdd873deb476df8a5442db116e77a7711a4f3f

  • SHA256

    8f8a2176880d870914390bb2b62a538a0491ae0fc353b3b845acec0dd3751794

  • SHA512

    b69f5036cffdadb53a4915409fa75cb27f66482bf055dff6a0bdcfdef7e50e806309b7e3a9e1ef29cf59ad5ec142a534d57e67915b152214316875e837ecb0ce

  • SSDEEP

    12288:tC1U5/+u/RXk8dT5SgSOFsz+kdOfFRLo1njpUAmJ7TqQlgPxRLHqZ:tuUhlJ08V5HS36FfFRLodDmxTqX7e

Malware Config

Extracted

Family

vidar

Version

10.5

Botnet

7b04eca2ba9484306915531fb29d1798

C2

https://t.me/obeliszxgeaea_1337

http://104.131.166.122:80

http://159.89.26.154:80

https://t.me/s41l0

Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.0 Safari/537.36

Targets

    • Target

      8f8a2176880d870914390bb2b62a538a0491ae0fc353b3b845acec0dd3751794

    • Size

      826KB

    • MD5

      5f661bce27073f4b496277cbc2fa246d

    • SHA1

      c8bdd873deb476df8a5442db116e77a7711a4f3f

    • SHA256

      8f8a2176880d870914390bb2b62a538a0491ae0fc353b3b845acec0dd3751794

    • SHA512

      b69f5036cffdadb53a4915409fa75cb27f66482bf055dff6a0bdcfdef7e50e806309b7e3a9e1ef29cf59ad5ec142a534d57e67915b152214316875e837ecb0ce

    • SSDEEP

      12288:tC1U5/+u/RXk8dT5SgSOFsz+kdOfFRLo1njpUAmJ7TqQlgPxRLHqZ:tuUhlJ08V5HS36FfFRLodDmxTqX7e

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks