smokeloader

General

Target

abf60d26f7062fa3ed554d4ed437c8f9.exe
Size

13.8MB
Sample

211231-zxq9rahca5
MD5

abf60d26f7062fa3ed554d4ed437c8f9
SHA1

7751ce911e1b45f925f214fe1fb6b96e5fd9204d
SHA256

48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
SHA512

62295d1d36da974e746883f5cbcca6069dd31822b26e9c4be946f6b000a40fe5c8ecdf02fe376180a1b00b658d3dbbbf33fe7e551a6045b59a75b4c9c5a3da76

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

vidar

Version

49.2

Botnet

915

C2

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes

profile_id
915

Extracted

Family

smokeloader

Version

2020

C2

http://melchen-testet.at/upload/

http://zjymf.com/upload/

http://pbxbmu70275.cn/upload/

http://mnenenravitsya.ru/upload/

http://pitersprav.ru/upload/

rc4.i32

Targets

- Target
  
  abf60d26f7062fa3ed554d4ed437c8f9.exe
- Size
  
  13.8MB
- MD5
  
  abf60d26f7062fa3ed554d4ed437c8f9
- SHA1
  
  7751ce911e1b45f925f214fe1fb6b96e5fd9204d
- SHA256
  
  48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
- SHA512
  
  62295d1d36da974e746883f5cbcca6069dd31822b26e9c4be946f6b000a40fe5c8ecdf02fe376180a1b00b658d3dbbbf33fe7e551a6045b59a75b4c9c5a3da76
Score

10^/10

smokeloader socelars vidar xmrig 915 aspackv2 backdoor miner stealer trojan vmprotect discovery persistence spyware
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Vidar Stealer
  stealer
- XMRig Miner Payload
  miner
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2