Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
S0FTWARE.exe
-
Size
21.9MB
-
Sample
240822-brvg8avejl
-
MD5
1b71e6b24ef5af362800674173fdd70a
-
SHA1
c1a3c341519111125bf7023f8fc33a1ae556057d
-
SHA256
06f6de001e64611fe8443bab7e400e65d0336fdaf54e1cb57a36c742710ea716
-
SHA512
c600714781c501c0a6352acfbdcb0c072e06aaef89bac81902848fded89a2c4c3904dfc3271be25d631d91c63c8b79e757c1a6616f6cca2c6593a4fd2ceb8d63
-
SSDEEP
196608:jv9BA2DxwIDs0HsET/nMKBfMkP6PKq3e2bpCPmBhpDr:jVG2DxCET/nMUUPKq3e2QmX
Static task
static1
Behavioral task
behavioral1
Sample
S0FTWARE.exe
Resource
win7-20240708-en
Malware Config
Extracted
vidar
https://steamcommunity.com/profiles/76561199751190313
https://t.me/pech0nk
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Targets
-
-
Target
S0FTWARE.exe
-
Size
21.9MB
-
MD5
1b71e6b24ef5af362800674173fdd70a
-
SHA1
c1a3c341519111125bf7023f8fc33a1ae556057d
-
SHA256
06f6de001e64611fe8443bab7e400e65d0336fdaf54e1cb57a36c742710ea716
-
SHA512
c600714781c501c0a6352acfbdcb0c072e06aaef89bac81902848fded89a2c4c3904dfc3271be25d631d91c63c8b79e757c1a6616f6cca2c6593a4fd2ceb8d63
-
SSDEEP
196608:jv9BA2DxwIDs0HsET/nMKBfMkP6PKq3e2bpCPmBhpDr:jVG2DxCET/nMUUPKq3e2QmX
-
Detect Vidar Stealer
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2