General
-
Target
fd037084c9ea6aae2c48f8d50c314823c4d8064e1f3483b3f1b649795613fdb5
-
Size
341KB
-
Sample
221204-kpz5csdc24
-
MD5
50d1209aa6b0a945d2b2d48df5011320
-
SHA1
5f986a05b318de242cbdd9052f979459c13260bb
-
SHA256
fd037084c9ea6aae2c48f8d50c314823c4d8064e1f3483b3f1b649795613fdb5
-
SHA512
a99420c6ee44b53a65a4810487b6d3c995a604c741ecb90701cb93ed6ffa2906e12f6c2b984dcd16de4eb5d0edf1155676b43870a6a0ae952bf5ec4b47ae1936
-
SSDEEP
6144:42eo3G4NEohrBgl4SljGT/Yymlgl5WZG1PK:42eo3me6B6/YyWglUZG
Malware Config
Extracted
vidar
56
1148
https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669
-
profile_id
1148
Targets
-
-
Target
fd037084c9ea6aae2c48f8d50c314823c4d8064e1f3483b3f1b649795613fdb5
-
Size
341KB
-
MD5
50d1209aa6b0a945d2b2d48df5011320
-
SHA1
5f986a05b318de242cbdd9052f979459c13260bb
-
SHA256
fd037084c9ea6aae2c48f8d50c314823c4d8064e1f3483b3f1b649795613fdb5
-
SHA512
a99420c6ee44b53a65a4810487b6d3c995a604c741ecb90701cb93ed6ffa2906e12f6c2b984dcd16de4eb5d0edf1155676b43870a6a0ae952bf5ec4b47ae1936
-
SSDEEP
6144:42eo3G4NEohrBgl4SljGT/Yymlgl5WZG1PK:42eo3me6B6/YyWglUZG
Score10/10-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-