smokeloader | 95770fe5ccae0ab4e4289e6cf9b47a094470cd847bcbbc03a0b03c42879f7604 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

95770fe5ccae0ab4e4289e6cf9b47a094470cd847bcbbc03a0b03c42879f7604
Size

213KB
Sample

230411-2yba2ahf3z
MD5

4f944ccd27c454fef9c1da2a94bbbef2
SHA1

461edad7bccef1b28d542f41979beabf21047377
SHA256

95770fe5ccae0ab4e4289e6cf9b47a094470cd847bcbbc03a0b03c42879f7604
SHA512

1551c5004b321ab500c4a328fa02cd0eb68222122f18d66d1ee811ff25bff86eab873c0965bff02eb4be5e77c6d32fe744f4a4e8e18f12ceeb0776d51e2a84b3
SSDEEP

3072:JuBd+9RSLJHShdldpRKRQT5/0JedDcLAgQ5Nh0J:0r+9UHShdX5T5/sUcJoy

Score

10^/10

smokeloader vidar e749025c61b2caca10aa829a9e1a65a1 sprg backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

rc4.i32

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Targets

- Target
  
  95770fe5ccae0ab4e4289e6cf9b47a094470cd847bcbbc03a0b03c42879f7604
- Size
  
  213KB
- MD5
  
  4f944ccd27c454fef9c1da2a94bbbef2
- SHA1
  
  461edad7bccef1b28d542f41979beabf21047377
- SHA256
  
  95770fe5ccae0ab4e4289e6cf9b47a094470cd847bcbbc03a0b03c42879f7604
- SHA512
  
  1551c5004b321ab500c4a328fa02cd0eb68222122f18d66d1ee811ff25bff86eab873c0965bff02eb4be5e77c6d32fe744f4a4e8e18f12ceeb0776d51e2a84b3
- SSDEEP
  
  3072:JuBd+9RSLJHShdldpRKRQT5/0JedDcLAgQ5Nh0J:0r+9UHShdX5T5/sUcJoy
Score

10^/10

smokeloader vidar e749025c61b2caca10aa829a9e1a65a1 sprg backdoor discovery spyware stealer trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloadervidare749025c61b2caca10aa829a9e1a65a1sprgbackdoordiscoveryspywarestealertrojan