Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    S0FTWARE.zip

  • Size

    150.4MB

  • Sample

    241102-cp4hsazjem

  • MD5

    55917cb8e6da1b0c6a12f2ad056928da

  • SHA1

    2e32942b38afeaab268ae958b4cb5c6732688081

  • SHA256

    15f274ebebfa08bed4cfd70447696f8f2eb3c0444aa33b572b0c370085f324ad

  • SHA512

    48a7d80dbcdf4bfcb78e45f3ae56146ef620990d63e048713ca75aad7aa0954b7b4e4ea83d77071ca74a34dcd2003f7d5e879421a74773e365008cd738f788a2

  • SSDEEP

    3145728:0YQyuFWIZb52RZZCLmup5274CjdLpLqGW5XKsV1FhGG+S3rgmRhqOM:BuFWK81C6up5274gdLpLqGW5XKK1/rgD

Malware Config

Extracted

Family

vidar

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Targets

    • Target

      S0FTWARE.zip

    • Size

      150.4MB

    • MD5

      55917cb8e6da1b0c6a12f2ad056928da

    • SHA1

      2e32942b38afeaab268ae958b4cb5c6732688081

    • SHA256

      15f274ebebfa08bed4cfd70447696f8f2eb3c0444aa33b572b0c370085f324ad

    • SHA512

      48a7d80dbcdf4bfcb78e45f3ae56146ef620990d63e048713ca75aad7aa0954b7b4e4ea83d77071ca74a34dcd2003f7d5e879421a74773e365008cd738f788a2

    • SSDEEP

      3145728:0YQyuFWIZb52RZZCLmup5274CjdLpLqGW5XKsV1FhGG+S3rgmRhqOM:BuFWK81C6up5274gdLpLqGW5XKK1/rgD

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks