smokeloader | be80b4e94a314d5a93ada9abaf4f7b80b7c097f2ce099076091c7286b22f22dd | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

be80b4e94a314d5a93ada9abaf4f7b80b7c097f2ce099076091c7286b22f22dd
Size

256KB
Sample

221026-b9ff1seeel
MD5

2eee6fb1fee3f09ad9a6255d785513ec
SHA1

e64812a617692fd21567c814ad4c481b758b239a
SHA256

be80b4e94a314d5a93ada9abaf4f7b80b7c097f2ce099076091c7286b22f22dd
SHA512

e3bd4c8f7daf0931953a41f19d21cebf59fb02afc547671400a8bdc48a4a0b3d9b1c155491f263177b48c74a0053787ea0ba98936ef0ac9956e1f061db85c188
SSDEEP

3072:dXKvuEyFLssiCLyZYwD+gRGQ8pgpWR+alsAMHuR4CdmD/Amk:ZkuE8LJtgYwD+3UuqAMO5u4F

Score

10^/10

smokeloader vidar 937 backdoor discovery spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

be80b4e94a314d5a93ada9abaf4f7b80b7c097f2ce099076091c7286b22f22dd.exe

Resource

win10v2004-20220812-en

smokeloader vidar 937 backdoor discovery spyware stealer trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

55.2

Botnet

937

C2

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Targets

- Target
  
  be80b4e94a314d5a93ada9abaf4f7b80b7c097f2ce099076091c7286b22f22dd
- Size
  
  256KB
- MD5
  
  2eee6fb1fee3f09ad9a6255d785513ec
- SHA1
  
  e64812a617692fd21567c814ad4c481b758b239a
- SHA256
  
  be80b4e94a314d5a93ada9abaf4f7b80b7c097f2ce099076091c7286b22f22dd
- SHA512
  
  e3bd4c8f7daf0931953a41f19d21cebf59fb02afc547671400a8bdc48a4a0b3d9b1c155491f263177b48c74a0053787ea0ba98936ef0ac9956e1f061db85c188
- SSDEEP
  
  3072:dXKvuEyFLssiCLyZYwD+gRGQ8pgpWR+alsAMHuR4CdmD/Amk:ZkuE8LJtgYwD+3UuqAMO5u4F
Score

10^/10

smokeloader vidar 937 backdoor discovery spyware stealer trojan
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloadervidar937backdoordiscoveryspywarestealertrojan

© 2018-2024

Terms | Privacy