General
-
Target
http://2.56.59.42/WW/file2.exe
-
Sample
211014-wkla7aahar
Static task
static1
URLScan task
urlscan1
Sample
http://2.56.59.42/WW/file2.exe
Behavioral task
behavioral1
Sample
http://2.56.59.42/WW/file2.exe
Resource
win7-ja-20210920
Malware Config
Extracted
smokeloader
2020
http://gfdjgdfjgdhfbg.space/
http://gfhjdsghdfjg23.space/
http://gdfjgdfh4543nf.space/
http://fgdjgsdfghj4fds.space/
http://fgdgdjfgfdgdf.space/
http://fsdhjfsdhfsd.space/
http://fgdsjghdfghjdfhgd.space/
http://ryuesrseyth3.space/
http://fdsjkuhreyu4.space/
http://fdgjdfgehr4.space/
http://fgdgjhdfgdfjgd.space/
Extracted
raccoon
3dde9cf1ea25ec8623cf240fe8d23e8d3fe465f0
-
url4cnc
http://telegatt.top/d1rolsavage
http://telegka.top/d1rolsavage
http://telegin.top/d1rolsavage
https://t.me/d1rolsavage
Extracted
vidar
41.4
1041
https://mas.to/@sslam
-
profile_id
1041
Targets
-
-
Target
http://2.56.59.42/WW/file2.exe
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-