Extracted

• • Target

    1a4153bee0accf2081fa21641607cf63.exe

  • Size

    249KB

  • MD5

    1a4153bee0accf2081fa21641607cf63

  • SHA1

    d9c10d909fa2890eaa4cc83d0af5ff136d3da7f8

  • SHA256

    514205bc5501a947f851a61ac9e7b6eef3e60ca670fd10c7d67352fdbea3123e

  • SHA512

    4519ee212f115d2c6ef62a63e33768cc2cd0d4d37995fc817a55fc4cfe8a80836ea20a2788283830729a062cc5c76a979747f452c4ec041a6366f42be1248e8a

  • SSDEEP

    3072:tXMomAQ8ILiN2RhN5Cc3aBbvLZx3yzfW89OFJmQI0Khr/Or3XM/h3BsxkgaBChUC:p9WLiERf3qzyfl08/ObXniga

  Score

  10^/10

  smokeloaderbackdoortrojannetsupportredline@geralt_workinfostealerratspywarestealerupx

  • Detects Smokeloader packer

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2