dharma | 8d6a931a8e8a65cf3a98fc2ee69ded2bd91ee03ef6677c6f653561dd4742ce17 | Triage

Submit
Reports

Overview

overview

Static

static

2020-08-16...in.exe

windows7_x64

2020-08-16...in.exe

windows10_x64

Sharing

General

Target

2020-08-16_12-33-29.bin
Size

182KB
Sample

200827-6x7fdlj8y2
MD5

31293dfcacc8dc2e1e0daca8ad83ffe4
SHA1

49d99d21ee7070f9923e53247dff9359cef66e56
SHA256

8d6a931a8e8a65cf3a98fc2ee69ded2bd91ee03ef6677c6f653561dd4742ce17
SHA512

962605b126e84500a0039b6ddcc2dd6686c942e2aa762d09ab49f97200812721c837770e116f5cb0477ce6ce145529830ef6cfafadb311944c28d388a3ee68dc

Score

10^/10

dharma smokeloader vidar backdoor persistence ransomware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

2020-08-16_12-33-29.bin.exe

Resource

win7

dharma smokeloader backdoor persistence ransomware trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

2020-08-16_12-33-29.bin.exe

Resource

win10v200722

dharma smokeloader vidar backdoor persistence ransomware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rexstat35x.xyz/statweb955/

http://dexspot2x.xyz/statweb955/

http://atxspot20x.xyz/statweb955/

http://rexspot7x.xyz/statweb955/

http://fdmail85.club/statweb955/

http://servicem977x.xyz/statweb955/

http://advertxman7x.xyz/statweb955/

http://starxpush7x.xyz/statweb955/

rc4.i32

rc4.i32

Targets

- Target
  
  2020-08-16_12-33-29.bin
- Size
  
  182KB
- MD5
  
  31293dfcacc8dc2e1e0daca8ad83ffe4
- SHA1
  
  49d99d21ee7070f9923e53247dff9359cef66e56
- SHA256
  
  8d6a931a8e8a65cf3a98fc2ee69ded2bd91ee03ef6677c6f653561dd4742ce17
- SHA512
  
  962605b126e84500a0039b6ddcc2dd6686c942e2aa762d09ab49f97200812721c837770e116f5cb0477ce6ce145529830ef6cfafadb311944c28d388a3ee68dc
Score

10^/10

dharma smokeloader backdoor persistence ransomware trojan vidar stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

dharmasmokeloaderbackdoorpersistenceransomwaretrojan

behavioral2

dharmasmokeloadervidarbackdoorpersistenceransomwarestealertrojan

© 2018-2024

Terms | Privacy