Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 08:38
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240802-en
General
-
Target
file.exe
-
Size
401KB
-
MD5
cd681a24c9d79c3af8caa1843296a062
-
SHA1
c18bfd79658cd691170595dd5b4dd586c21b954c
-
SHA256
2b85d82dd140d794a295b87bb250ebcdfa1aeb1d729f74c37ac0b07083e70daf
-
SHA512
2527a1a2acdf8c87e4b459683f6f287bc6fb65ff9eb979c830ec9dfd685380c633787b247b65c3fe3bf57f5c598f48700742f8d8d056c971ed5744e2eb9f5cb5
-
SSDEEP
12288:CgIVaGe6BEIaaJLq2vru6fv8PF5Nn5e4AkArjUdG8L:NGmLaufTe5rUdG8L
Malware Config
Extracted
vidar
11
728eadc0b38790aac08b64fd1b8adb1f
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 7 IoCs
resource yara_rule behavioral2/memory/4736-4-0x0000000000400000-0x0000000000675000-memory.dmp family_vidar_v7 behavioral2/memory/4736-9-0x0000000000400000-0x0000000000675000-memory.dmp family_vidar_v7 behavioral2/memory/4736-7-0x0000000000400000-0x0000000000675000-memory.dmp family_vidar_v7 behavioral2/memory/4736-20-0x0000000000400000-0x0000000000675000-memory.dmp family_vidar_v7 behavioral2/memory/4736-21-0x0000000000400000-0x0000000000675000-memory.dmp family_vidar_v7 behavioral2/memory/4736-37-0x0000000000400000-0x0000000000675000-memory.dmp family_vidar_v7 behavioral2/memory/4736-38-0x0000000000400000-0x0000000000675000-memory.dmp family_vidar_v7 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 548 set thread context of 4736 548 file.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4736 RegAsm.exe 4736 RegAsm.exe 4736 RegAsm.exe 4736 RegAsm.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 548 wrote to memory of 4736 548 file.exe 83 PID 548 wrote to memory of 4736 548 file.exe 83 PID 548 wrote to memory of 4736 548 file.exe 83 PID 548 wrote to memory of 4736 548 file.exe 83 PID 548 wrote to memory of 4736 548 file.exe 83 PID 548 wrote to memory of 4736 548 file.exe 83 PID 548 wrote to memory of 4736 548 file.exe 83 PID 548 wrote to memory of 4736 548 file.exe 83 PID 548 wrote to memory of 4736 548 file.exe 83 PID 548 wrote to memory of 4736 548 file.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4736
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1