Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

FORTNITECHEAT.exe

windows7-x64

10

FORTNITECHEAT.exe

windows10-2004-x64

10

Installer2.exe

windows7-x64

10

Installer2.exe

windows10-2004-x64

10

Zeus.exe

windows7-x64

10

Zeus.exe

windows10-2004-x64

10

installer.exe

windows7-x64

10

installer.exe

windows10-2004-x64

10

lnjector.exe

windows7-x64

10

lnjector.exe

windows10-2004-x64

10

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 08:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    6.5MB

  • MD5

    e8e5283ad4683f8dcc018d5769e473dd

  • SHA1

    d5c41f15a6fc28050e02bff6c3ab357fa0f99642

  • SHA256

    b885e915e529bb54f5d219617b77c6369300cf72a50348a37083d21f3a8345e6

  • SHA512

    8f8732c076a76abeb3ccc49215d7c201eea584bc8060df2f38cec3682bb6fbe976934ab73ba33d32e7d1e45dae271acf0fd8716c0847cab3bf930376e8f2173d

  • SSDEEP

    98304:rcLWt2jT+gKF5ENbYMyKFUB47Kh1Fpn50pOFXc2g/uu6J7Hr1x9ucbu8:wb3+XONbg0zIv5o2Xc2g/u9JHr1ycz

Score
10/10
vidar670discoverystealer

Malware Config

Extracted

Family

vidar

Version

1.8

Botnet

670

C2

https://t.me/year2023start

https://steamcommunity.com/profiles/76561199467421923

http://65.108.93.119:80
Attributes
  • profile_id

    670

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    PID:2492

Network

  • flag-us
    DNS
    t.me
    setup.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    steamcommunity.com
    setup.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    104.82.234.109
  • flag-gb
    GET
    https://steamcommunity.com/profiles/76561199467421923
    setup.exe
    Remote address:
    104.82.234.109:443
    Request
    GET /profiles/76561199467421923 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Fri, 08 Nov 2024 08:56:43 GMT
    Content-Length: 35155
    Connection: keep-alive
    Set-Cookie: sessionid=1833201102c63d13cfc4be4c; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7Ce15d564837abb028acb4e114150d704d; Path=/; Secure; HttpOnly; SameSite=None
  • flag-de
    GET
    http://116.202.7.135/670
    setup.exe
    Remote address:
    116.202.7.135:80
    Request
    GET /670 HTTP/1.1
    Host: 116.202.7.135
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.22.1
    Date: Fri, 08 Nov 2024 08:56:44 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://www.kitea.com/670
  • flag-de
    GET
    http://116.202.7.135/samefiles.zip
    setup.exe
    Remote address:
    116.202.7.135:80
    Request
    GET /samefiles.zip HTTP/1.1
    Host: 116.202.7.135
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.22.1
    Date: Fri, 08 Nov 2024 08:56:48 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://www.kitea.com/samefiles.zip
  • flag-us
    DNS
    www.kitea.com
    setup.exe
    Remote address:
    8.8.8.8:53
    Request
    www.kitea.com
    IN A
    Response
    www.kitea.com
    IN A
    104.21.52.41
    www.kitea.com
    IN A
    172.67.195.16
  • flag-us
    GET
    https://www.kitea.com/670
    setup.exe
    Remote address:
    104.21.52.41:443
    Request
    GET /670 HTTP/1.1
    Connection: Keep-Alive
    Host: www.kitea.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 08 Nov 2024 08:56:48 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    vary: Accept-Encoding
    Set-Cookie: PHPSESSID=661dmivvk68kl87qpblk17rpec; expires=Fri, 08-Nov-2024 09:56:44 GMT; Max-Age=3600; path=/; domain=www.kitea.com; secure; HttpOnly; SameSite=Lax
    pragma: no-cache
    Cache-Control: max-age=0, must-revalidate, no-cache, no-store
    expires: Wed, 08 Nov 2023 08:56:44 GMT
    x-content-type-options: nosniff
    x-xss-protection: 1; mode=block
    x-frame-options: SAMEORIGIN
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0c8cm%2BAgoyBdYv%2BTnS5n5MDQ8yuY9sWu0mUsxdR2qK4xY%2BwdkGhxNZzMPkWRiulUFaYf6HI%2FMh%2BYIiPLDo8%2BdmUTSVT3Nn%2Bi%2FJ9Ywan%2FMYJjaloEBImDzShMfiJIjOvB"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8df459fe6acb45a0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=42797&sent=7&recv=8&lost=0&retrans=1&sent_bytes=3179&recv_bytes=385&delivery_rate=82737&cwnd=252&unsent_bytes=0&cid=6897422f4c9bfb73&ts=4117&x=0"
  • flag-us
    GET
    https://www.kitea.com/samefiles.zip
    setup.exe
    Remote address:
    104.21.52.41:443
    Request
    GET /samefiles.zip HTTP/1.1
    Host: www.kitea.com
    Cache-Control: no-cache
    Connection: Keep-Alive
    Cookie: PHPSESSID=661dmivvk68kl87qpblk17rpec
    Response
    HTTP/1.1 200 OK
    Date: Fri, 08 Nov 2024 08:56:53 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    vary: Accept-Encoding
    pragma: no-cache
    Cache-Control: max-age=0, must-revalidate, no-cache, no-store
    expires: Wed, 08 Nov 2023 08:56:48 GMT
    x-content-type-options: nosniff
    x-xss-protection: 1; mode=block
    x-frame-options: SAMEORIGIN
    CF-Cache-Status: BYPASS
    Set-Cookie: PHPSESSID=661dmivvk68kl87qpblk17rpec; expires=Fri, 08-Nov-2024 09:56:48 GMT; Max-Age=3600; path=/; domain=www.kitea.com; secure; HttpOnly; SameSite=Lax
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zq8q8SX027FjzBulDhgmeay6Hn1iNGZtup0iu2lTXI7zN6IcbJUJd0OiO1IM4zUfcrYyWmD%2BznATbqMgLzSfTNWhJI49ZgkWoccV5E1IsdE6dq%2Bw%2B8J7funljm44sunA"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8df45a17fcb745a0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=48194&sent=312&recv=168&lost=0&retrans=11&sent_bytes=401336&recv_bytes=561&delivery_rate=193098&cwnd=351&unsent_bytes=0&cid=6897422f4c9bfb73&ts=9523&x=0"
  • flag-us
    DNS
    c.pki.goog
    setup.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.227
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    setup.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Fri, 08 Nov 2024 08:14:28 GMT
    Expires: Fri, 08 Nov 2024 09:04:28 GMT
    Cache-Control: public, max-age=3000
    Age: 2536
    Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    setup.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Fri, 08 Nov 2024 08:14:28 GMT
    Expires: Fri, 08 Nov 2024 09:04:28 GMT
    Cache-Control: public, max-age=3000
    Age: 2536
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • 149.154.167.99:443
    t.me
    tls
    setup.exe
    385 B
     219 B
     5
    5
  • 149.154.167.99:443
    t.me
    tls
    setup.exe
    347 B
     219 B
     5
    5
  • 149.154.167.99:443
    t.me
    tls
    setup.exe
    288 B
     219 B
     5
    5
  • 149.154.167.99:443
    t.me
    setup.exe
    190 B
     92 B
     4
    2
  • 104.82.234.109:443
    https://steamcommunity.com/profiles/76561199467421923
    tls, http
    setup.exe
    1.5kB
     42.5kB
     23
    36

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199467421923

    HTTP Response

    200
  • 116.202.7.135:80
    http://116.202.7.135/samefiles.zip
    http
    setup.exe
    435 B
     920 B
     7
    4

    HTTP Request

    GET http://116.202.7.135/670

    HTTP Response

    301

    HTTP Request

    GET http://116.202.7.135/samefiles.zip

    HTTP Response

    301
  • 104.21.52.41:443
    https://www.kitea.com/samefiles.zip
    tls, http
    setup.exe
    13.0kB
     675.0kB
     269
    501

    HTTP Request

    GET https://www.kitea.com/670

    HTTP Response

    200

    HTTP Request

    GET https://www.kitea.com/samefiles.zip

    HTTP Response

    200
  • 142.250.187.227:80
    http://c.pki.goog/r/r4.crl
    http
    setup.exe
    554 B
     3.8kB
     7
    5

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 8.8.8.8:53
    t.me
    dns
    setup.exe
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    steamcommunity.com
    dns
    setup.exe
    64 B
     80 B
     1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    104.82.234.109

  • 8.8.8.8:53
    www.kitea.com
    dns
    setup.exe
    59 B
     91 B
     1
    1

    DNS Request

    www.kitea.com

    DNS Response

    104.21.52.41
    172.67.195.16

  • 8.8.8.8:53
    c.pki.goog
    dns
    setup.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.227

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabE755.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE787.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • memory/2492-14-0x0000000000400000-0x0000000000E3C000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2492-1-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-6-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-11-0x0000000000400000-0x0000000000E3C000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2492-0-0x000000000045B000-0x00000000007B0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2492-10-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-8-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-15-0x000000000045B000-0x00000000007B0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2492-16-0x0000000000400000-0x0000000000E3C000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2492-3-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-5-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-72-0x0000000000400000-0x0000000000E3C000-memory.dmp

    Filesize

    10.2MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.