Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
11/04/2023, 09:06
General
-
Target
79dcef5f7b9c411ac92d820944ee9686dfe7d37678ee2ef4412dba7ad0eeec5c.exe
-
Size
198KB
-
MD5
7f1b14546d975e5ebb65cc8bcb5193a8
-
SHA1
1cd152880fe4523ac2043e1abe6cdbb5db64f5f1
-
SHA256
79dcef5f7b9c411ac92d820944ee9686dfe7d37678ee2ef4412dba7ad0eeec5c
-
SHA512
4ea89932a43e283a24f3e0b388d0cbd690f9df573dacb3b81cbead38a9e7671764cc4210ece7b683510fb34891ff24eed9ada1bbb3a8a38a5331619833cb700b
-
SSDEEP
3072:P5c3n6eOPAJ3q+Zc61rV7QtRhyw1jqmDQNbBcdOfREaVVPep:RnhPA9qYzu+onDQlBcd4pPG
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\79dcef5f7b9c411ac92d820944ee9686dfe7d37678ee2ef4412dba7ad0eeec5c.exe"C:\Users\Admin\AppData\Local\Temp\79dcef5f7b9c411ac92d820944ee9686dfe7d37678ee2ef4412dba7ad0eeec5c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1BB6.exeC:\Users\Admin\AppData\Local\Temp\1BB6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\25373667414117470759.exe"C:\ProgramData\25373667414117470759.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\ProgramData\85684342381683685323.exe"C:\ProgramData\85684342381683685323.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\85684342381683685323.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1BB6.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
308KB
MD50f05baf410acbdb5472a53529bf2000b
SHA1109fe4c8b160e56cbdbcdb226b155013c2050b53
SHA256257f3227f28be3d46cbb43378f0c59bbbff01638b3935c704726ab7384e339cf
SHA512e9a23c9422227b9500392266c4c454f7a800579916e1d530037ac5185e1b5ff80cc035c449dc04e9cd382125ce166cf560adea5525798972143b18beb1b20713
-
Filesize
308KB
MD50f05baf410acbdb5472a53529bf2000b
SHA1109fe4c8b160e56cbdbcdb226b155013c2050b53
SHA256257f3227f28be3d46cbb43378f0c59bbbff01638b3935c704726ab7384e339cf
SHA512e9a23c9422227b9500392266c4c454f7a800579916e1d530037ac5185e1b5ff80cc035c449dc04e9cd382125ce166cf560adea5525798972143b18beb1b20713
-
Filesize
426.9MB
MD5fc9d2554c562ed2a359f4dfd4616abfd
SHA15cae0f76e467d7ef010881b74d5c9367da583a70
SHA2569425fe107e3933559bd232eabac5e368ffd7bf5f3cb320a04db68d697fecde90
SHA512f458736d1ee15b09b1a7e85a121463bf65537b873cd4fbb2f388fe80b43b9a62375f199037547ae78c75e1a07ea95d13a4969b48da102c6e0d154aa49554aefb
-
Filesize
315.1MB
MD551bf5a007e092552cf2db47d6c32d787
SHA110535fe54e9de6cddd87b6403b88dd8effe17402
SHA2566730027a37b8907264a2048eef540ecf30c9a136ced92d9e24498e42f9af239c
SHA5120dca03b68b74ee51496a29ffa5bef423c36345424fa8d03507f3337421a3260c511ed6571208559d9a21fdd4bd0f0a90eecfdefa2fef5a3f3ae33e7758b26f6d
-
Filesize
322.4MB
MD5b034b0fadbf05acff20756caf02b3928
SHA1fa2d9f6273c289c18d36157e9fd0c419584afbde
SHA256d7fbd4868558f4f03d57efc92a96d3c806271896c758d7697579c6a205b63d8a
SHA512cf1654c3c6f70e8faebcc2a3859753cd81e086754331ed25af58063fe1d62da8a3143ad22857c4b07eb89ec9c1e03bfbb1ea5a0b3c1f4fc4df2328895706a4b4
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.2MB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
972KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
348KB
-
Filesize
748KB
-
Filesize
36KB
-
Filesize
640KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
12KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.2MB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
14.4MB
-
Filesize
14.4MB