General
-
Target
b6b6b4c660fd06ffde4b0f6a4c6a82d2fb60156363901f16d23128467735443f
-
Size
4.5MB
-
Sample
220314-wkgyrsafd4
-
MD5
5791549d6c88790faabe1c5e817c1b93
-
SHA1
b251673dd3a068b0f00c958f6120e7e44fdf1bc3
-
SHA256
b6b6b4c660fd06ffde4b0f6a4c6a82d2fb60156363901f16d23128467735443f
-
SHA512
f62ac9c64bacfa813fe41033d125370620ca2782ff20985a542b341a1061ebeefdb65b5fb600d65ccee25697803d3d1a41bfa74d50d4ca70b8785fe92eddfc33
Static task
static1
Behavioral task
behavioral1
Sample
b6b6b4c660fd06ffde4b0f6a4c6a82d2fb60156363901f16d23128467735443f.exe
Resource
win7-20220310-en
Malware Config
Extracted
vidar
39.3
706
https://bandakere.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Targets
-
-
Target
b6b6b4c660fd06ffde4b0f6a4c6a82d2fb60156363901f16d23128467735443f
-
Size
4.5MB
-
MD5
5791549d6c88790faabe1c5e817c1b93
-
SHA1
b251673dd3a068b0f00c958f6120e7e44fdf1bc3
-
SHA256
b6b6b4c660fd06ffde4b0f6a4c6a82d2fb60156363901f16d23128467735443f
-
SHA512
f62ac9c64bacfa813fe41033d125370620ca2782ff20985a542b341a1061ebeefdb65b5fb600d65ccee25697803d3d1a41bfa74d50d4ca70b8785fe92eddfc33
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-