Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a86c7b65a6...5b.exe

windows7-x64

10

a86c7b65a6...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 02:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a86c7b65a6348d392d10d3982b6d0b896fdf646b218903a012d3c0dd73159f5b.exe

  • Size

    571KB

  • MD5

    8351aa212d7278c381ebe13f2a435ad9

  • SHA1

    d529652f0ba92febad36c66a1b5be4398eddaef2

  • SHA256

    a86c7b65a6348d392d10d3982b6d0b896fdf646b218903a012d3c0dd73159f5b

  • SHA512

    8ac16c1c659da3562a1b6c7b6a8999da49420d0860e18f601ce6ae737113c82b074b1a724db3b807b41da04f0fbbdfdecb8d42856f72cb0a1732a4dfbfbc2e47

  • SSDEEP

    12288:fls0xfgBSzcsLJPVB1DrYoLRn/4CAkJwh9Jb6OYDU3zHCf4S:fHfgeDPMoLRwCAY06S39

Score
10/10
vidardiscoverystealer

Malware Config

Extracted

Family

vidar

C2

http://lade.petperfectcare.com:80

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

  • Detect Vidar Stealer 7 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a86c7b65a6348d392d10d3982b6d0b896fdf646b218903a012d3c0dd73159f5b.exe
    "C:\Users\Admin\AppData\Local\Temp\a86c7b65a6348d392d10d3982b6d0b896fdf646b218903a012d3c0dd73159f5b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2388
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 252
      2⤵
      • Program crash
      PID:968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 852 -ip 852
    1⤵
      PID:4012

    Network

    • flag-us
      DNS
      lade.petperfectcare.com
      MSBuild.exe
      Remote address:
      8.8.8.8:53
      Request
      lade.petperfectcare.com
      IN A
      Response
      lade.petperfectcare.com
      IN A
      95.164.90.97
    • flag-gi
      GET
      http://lade.petperfectcare.com/
      MSBuild.exe
      Remote address:
      95.164.90.97:80
      Request
      GET / HTTP/1.1
      Host: lade.petperfectcare.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 08 Oct 2024 10:41:21 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • flag-gi
      POST
      http://lade.petperfectcare.com/
      MSBuild.exe
      Remote address:
      95.164.90.97:80
      Request
      POST / HTTP/1.1
      Content-Type: multipart/form-data; boundary=----FBKJKEHIJECGCBFIJEGI
      Host: lade.petperfectcare.com
      Content-Length: 255
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 08 Oct 2024 10:41:21 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • flag-gi
      POST
      http://lade.petperfectcare.com/
      MSBuild.exe
      Remote address:
      95.164.90.97:80
      Request
      POST / HTTP/1.1
      Content-Type: multipart/form-data; boundary=----CFIIIJJKJKFHIDGDBAKJ
      Host: lade.petperfectcare.com
      Content-Length: 331
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 08 Oct 2024 10:41:22 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • flag-gi
      POST
      http://lade.petperfectcare.com/
      MSBuild.exe
      Remote address:
      95.164.90.97:80
      Request
      POST / HTTP/1.1
      Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGC
      Host: lade.petperfectcare.com
      Content-Length: 331
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 08 Oct 2024 10:41:22 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • flag-gi
      POST
      http://lade.petperfectcare.com/
      MSBuild.exe
      Remote address:
      95.164.90.97:80
      Request
      POST / HTTP/1.1
      Content-Type: multipart/form-data; boundary=----AAAAAAAAAAAAAAAAAAAA
      Host: lade.petperfectcare.com
      Content-Length: 332
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 08 Oct 2024 10:41:22 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • flag-gi
      POST
      http://lade.petperfectcare.com/
      MSBuild.exe
      Remote address:
      95.164.90.97:80
      Request
      POST / HTTP/1.1
      Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAEC
      Host: lade.petperfectcare.com
      Content-Length: 4641
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 08 Oct 2024 10:41:23 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • flag-gi
      GET
      http://lade.petperfectcare.com/sql.dll
      MSBuild.exe
      Remote address:
      95.164.90.97:80
      Request
      GET /sql.dll HTTP/1.1
      Host: lade.petperfectcare.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Tue, 08 Oct 2024 10:41:23 GMT
      Content-Type: application/octet-stream
      Content-Length: 2459136
      Last-Modified: Fri, 24 Nov 2023 13:43:06 GMT
      Connection: keep-alive
      ETag: "6560a86a-258600"
      Accept-Ranges: bytes
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=00006A937C97605F15B27F817D91619A; domain=.bing.com; expires=Sun, 02-Nov-2025 10:41:21 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 12852252F21D4EB6A40BB97F525A03DE Ref B: LON601060108034 Ref C: 2024-10-08T10:41:21Z
      date: Tue, 08 Oct 2024 10:41:20 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=00006A937C97605F15B27F817D91619A
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=Sx2-AzhChrY05cKQuI5p7F86Rb5hbeLEOXMxCfJ0bcg; domain=.bing.com; expires=Sun, 02-Nov-2025 10:41:21 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 1346EA9985594C1AA1F0E8CF1A6526EC Ref B: LON601060108034 Ref C: 2024-10-08T10:41:21Z
      date: Tue, 08 Oct 2024 10:41:20 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=00006A937C97605F15B27F817D91619A; MSPTC=Sx2-AzhChrY05cKQuI5p7F86Rb5hbeLEOXMxCfJ0bcg
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 1CED80F868BF44EFB9C16072387FF68F Ref B: LON601060108034 Ref C: 2024-10-08T10:41:21Z
      date: Tue, 08 Oct 2024 10:41:20 GMT
    • flag-us
      DNS
      97.90.164.95.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.90.164.95.in-addr.arpa
      IN PTR
      Response
      97.90.164.95.in-addr.arpa
      IN PTR
      vm114717xxvpsnet
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      72.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      8.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 95.164.90.97:80
      http://lade.petperfectcare.com/sql.dll
      http
      MSBuild.exe
      66.1kB
       1.8MB
       1283
      1293

      HTTP Request

      GET http://lade.petperfectcare.com/

      HTTP Response

      200

      HTTP Request

      POST http://lade.petperfectcare.com/

      HTTP Response

      200

      HTTP Request

      POST http://lade.petperfectcare.com/

      HTTP Response

      200

      HTTP Request

      POST http://lade.petperfectcare.com/

      HTTP Response

      200

      HTTP Request

      POST http://lade.petperfectcare.com/

      HTTP Response

      200

      HTTP Request

      POST http://lade.petperfectcare.com/

      HTTP Response

      200

      HTTP Request

      GET http://lade.petperfectcare.com/sql.dll

      HTTP Response

      200
    • 150.171.28.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
      tls, http2
      2.0kB
       9.4kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5354d0f604b54048b166c3a3cadb9cec&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

      HTTP Response

      204
    • 8.8.8.8:53
      lade.petperfectcare.com
      dns
      MSBuild.exe
      69 B
       85 B
       1
      1

      DNS Request

      lade.petperfectcare.com

      DNS Response

      95.164.90.97

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       148 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      97.90.164.95.in-addr.arpa
      dns
      71 B
       103 B
       1
      1

      DNS Request

      97.90.164.95.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      72.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      72.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      8.173.189.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      8.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/852-0-0x0000000000F2D000-0x0000000000F2F000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2388-1-0x0000000000400000-0x0000000000676000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2388-6-0x0000000000400000-0x0000000000676000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2388-3-0x0000000000400000-0x0000000000676000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2388-7-0x0000000000400000-0x0000000000676000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2388-8-0x0000000000400000-0x0000000000676000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2388-10-0x0000000020050000-0x00000000202AF000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2388-18-0x0000000000400000-0x0000000000676000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2388-19-0x0000000000400000-0x0000000000676000-memory.dmp

      Filesize

      2.5MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.