Extracted

• • Target

    file.exe

  • Size

    207KB

  • MD5

    c8bc01211ac0a9e1ef771a215f2c0174

  • SHA1

    6e473114e786e396012a03518c5bb4acb275a6e8

  • SHA256

    ef17498293979b2ae37899f98912c1d06d3ac237e1f8fae4e31ca437e4b09d3c

  • SHA512

    bc6029c6e5fbc5e44b4f97968a729eb99a1dc3e57051b7b4419470783ea2f002adfcd7ade74d4fb5409c9403fedf1d90f98699c3efeb0053ac22adabe6e0b419

  • SSDEEP

    3072:kXNogTCS3EuOTF+Jsp5F5/7MP6bsEg+ohwg8U7yxwgO8uapb:gJCS3EuO0Jsr/m6wEg+Lg8U7rgOEp

  Score

  10^/10

  smokeloaderbackdoortrojanlummacollectiondiscoverypersistencespywarestealer

  • Detects Smokeloader packer

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Sets service image path in registry

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2