General

  • Target

    bd7adc4a910dd1433eef94e8660718759ce60887d5540f0733e0b5179c1460fb

  • Size

    198KB

  • Sample

    230411-l1t8xsdd7s

  • MD5

    7b160ddabf10aaaf6a5533b519ea64c8

  • SHA1

    89db6e0dca5bce8e22e82be4dbb7ed3ab2f7bfee

  • SHA256

    bd7adc4a910dd1433eef94e8660718759ce60887d5540f0733e0b5179c1460fb

  • SHA512

    3602930295116e011e9184e4d0c9f8a66501bb884b50fc574ea728cfce1ce940c81fd11ff8f964eee0f5d081fbaab977a9da1d2979fffd78386af073dd748bce

  • SSDEEP

    3072:IHRRsAKdinlM6bbMQOg9MrKZOY1qAndSPCCTAajbj537flXBjx:+CcnlZPMUyesgbndSPCCTAajl7ffjx

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32
1
0x090cd984
rc4.i32
1
0x0d8ab546

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes
  • profile_id_v2

    e749025c61b2caca10aa829a9e1a65a1

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes
  • api_key

    bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

    • Target

      bd7adc4a910dd1433eef94e8660718759ce60887d5540f0733e0b5179c1460fb

    • Size

      198KB

    • MD5

      7b160ddabf10aaaf6a5533b519ea64c8

    • SHA1

      89db6e0dca5bce8e22e82be4dbb7ed3ab2f7bfee

    • SHA256

      bd7adc4a910dd1433eef94e8660718759ce60887d5540f0733e0b5179c1460fb

    • SHA512

      3602930295116e011e9184e4d0c9f8a66501bb884b50fc574ea728cfce1ce940c81fd11ff8f964eee0f5d081fbaab977a9da1d2979fffd78386af073dd748bce

    • SSDEEP

      3072:IHRRsAKdinlM6bbMQOg9MrKZOY1qAndSPCCTAajbj537flXBjx:+CcnlZPMUyesgbndSPCCTAajl7ffjx

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.