General
-
Target
1d4ecd52ab85b7f5229f00ee10d438286e361d4c304000abca8b3dcbe1d7c720
-
Size
255KB
-
Sample
211025-ykmv5ahdhl
-
MD5
89bee605f4b726bb0fccb378c22d02cd
-
SHA1
de676173aa2a7b9de8a4631f70b4ded25f2b41ae
-
SHA256
1d4ecd52ab85b7f5229f00ee10d438286e361d4c304000abca8b3dcbe1d7c720
-
SHA512
0a493c64a52d020095b39179431480df03ebef79bdd0262b277e33bf1c06382f7beb4aea98f2ea0e5d65e791aff4d727e74982422beca1b395c0c92dfcc1cf99
Static task
static1
Malware Config
Extracted
smokeloader
2020
http://gejajoo7.top/
http://sysaheu9.top/
Extracted
amadey
2.70
185.215.113.45/g4MbvE/index.php
Extracted
vidar
41.5
754
https://mas.to/@xeroxxx
-
profile_id
754
Targets
-
-
Target
1d4ecd52ab85b7f5229f00ee10d438286e361d4c304000abca8b3dcbe1d7c720
-
Size
255KB
-
MD5
89bee605f4b726bb0fccb378c22d02cd
-
SHA1
de676173aa2a7b9de8a4631f70b4ded25f2b41ae
-
SHA256
1d4ecd52ab85b7f5229f00ee10d438286e361d4c304000abca8b3dcbe1d7c720
-
SHA512
0a493c64a52d020095b39179431480df03ebef79bdd0262b277e33bf1c06382f7beb4aea98f2ea0e5d65e791aff4d727e74982422beca1b395c0c92dfcc1cf99
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-