Extracted

• • Target

    2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858

  • Size

    521KB

  • MD5

    5fe1f92b221d98a8504139a2792265f8

  • SHA1

    5faf25f3ee80a45b85f4d1fb971ab9cfd1ff174d

  • SHA256

    2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858

  • SHA512

    b40a7cb1cfd119883e3ae5126b50a73641f184daa49eddc620728a1a2c8e4b5c2e6154bad5a0b6faf053c8049144208ffe4e209611df94e995489b9257ff362d

  • SSDEEP

    12288:kQi3ceLI4OjuBxPnk6tnq6m6URA3Phmyawo+sdsikeEDmBlyZC3:kQiF7nphh/8+sdkvmOQ3

  Score

  10^/10

  ffdroidernymaimsmokeloaderbackdoorevasionpersistencestealertrojanvmprotect

  • Detects Smokeloader packer

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Checks for common network interception software

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1