smokeloader | a6a0c59a5f4c53ac5df74aae93d700cf287a370505d815b1bc26b006163d9bd7 | Triage

Submit
Reports

Overview

overview

Static

static

A6A0C59A5F...81.exe

windows7_x64

A6A0C59A5F...81.exe

windows10_x64

Sharing

General

Target

A6A0C59A5F4C53AC5DF74AAE93D700CF287A370505D81.exe
Size

2.3MB
Sample

211001-bqnnaaaffn
MD5

8e0d32c0195d67c5b2df608595e25992
SHA1

6b7e16ea79f90cdfe3560ade2d4a512231ae11a7
SHA256

a6a0c59a5f4c53ac5df74aae93d700cf287a370505d815b1bc26b006163d9bd7
SHA512

3efea612a8e55f004e4f9b7698e375c962b4a4ccaef47e1ea93e71f5ffac8a144d3e3af95b4633e1fec24a3b31ce7b698864a3ba2a54a1f16a15d6d5af96f8a9

Score

10^/10

smokeloader vidar 1028 706 aspackv2 backdoor evasion spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

A6A0C59A5F4C53AC5DF74AAE93D700CF287A370505D81.exe

Resource

win7-en-20210920

smokeloader vidar 706 aspackv2 backdoor evasion spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

A6A0C59A5F4C53AC5DF74AAE93D700CF287A370505D81.exe

Resource

win10v20210408

smokeloader vidar 1028 706 aspackv2 backdoor evasion stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

rc4.i32

Extracted

Family

vidar

Version

40.1

Botnet

706

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

vidar

Version

41.1

Botnet

1028

C2

https://mas.to/@bardak1ho

Attributes

profile_id
1028

Targets

- Target
  
  A6A0C59A5F4C53AC5DF74AAE93D700CF287A370505D81.exe
- Size
  
  2.3MB
- MD5
  
  8e0d32c0195d67c5b2df608595e25992
- SHA1
  
  6b7e16ea79f90cdfe3560ade2d4a512231ae11a7
- SHA256
  
  a6a0c59a5f4c53ac5df74aae93d700cf287a370505d815b1bc26b006163d9bd7
- SHA512
  
  3efea612a8e55f004e4f9b7698e375c962b4a4ccaef47e1ea93e71f5ffac8a144d3e3af95b4633e1fec24a3b31ce7b698864a3ba2a54a1f16a15d6d5af96f8a9
Score

10^/10

smokeloader vidar 706 aspackv2 backdoor evasion spyware stealer trojan 1028
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloadervidar706aspackv2backdoorevasionspywarestealertrojan

behavioral2

smokeloadervidar1028706aspackv2backdoorevasionstealertrojan

© 2018-2024

Terms | Privacy