Extracted

• • Target

    17788c4bfa647b05751138f7e96edf03.exe

  • Size

    267KB

  • MD5

    17788c4bfa647b05751138f7e96edf03

  • SHA1

    b898478a64450cc28b85f27b0a3365c9cd4d8af1

  • SHA256

    187d17124e094fe0e9f2115d7c538c8a98d33242cd0f14c475ead520d08c1eb0

  • SHA512

    45ef3053e0da9e81596f75b6e228ad7e06290737d90a17c0dc38440b1bd04666a2a9adb68e5ee918b74252437dc001be048c478861de1c6d1de06106f19f5b8d

  • SSDEEP

    3072:rXYChY9AUUQKpXHKm5bEq/AVPFUTVsPErvYYWrxpzbgqruEqypZa9uD6VdyhksRP:Dl9pX/Eq/AVPsPDYYuzbgwudywVfs

  Score

  10^/10

  smokeloaderbackdoortrojanredlinemorndiscoveryinfostealerpersistencespywarestealer

  • Detects Smokeloader packer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2