Extracted

• • Target

    6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe

  • Size

    5.1MB

  • MD5

    0727f10acffae1a2fbad5bdee8606d77

  • SHA1

    25a2190e389051017b0b512c0caa0e56d185d80a

  • SHA256

    6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad

  • SHA512

    f5fdd04b5dd1882b99dcff66e21ee2eb6efe5032f25130f3ca67fc089c841fbdd48e495fdf370e0460833e6f8848c48069174298181db45e8857bdb4c5bed781

  • SSDEEP

    98304:pAI+7WP8CGcEUNHnorSJwvvGBrHBHA8Fn6KhPpXjX2oPIn23U4jKuK5rQjKg0OFB:itM8C9EUN96viBHFn6Uhr/I23UEKuK58

  Score

  10^/10

  ffdroiderprivateloadersmokeloaderbackdoordiscoveryloaderspywarestealertrojanevasion

  • Detects Smokeloader packer

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • FFDroider payload

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2