Extracted

• • Target

    00000fa1585e99fcb5e8728b96f173ff61b08fc152e2f50d715f6d596dec42fb

  • Size

    207KB

  • MD5

    e0b278e2bd5ea5c478ec674a4ad5dccf

  • SHA1

    9e2712b75507ead833172f004cb765b892bd7216

  • SHA256

    00000fa1585e99fcb5e8728b96f173ff61b08fc152e2f50d715f6d596dec42fb

  • SHA512

    2b46afb0acf20e3665336cf208ed2f0633f0ee9067133aac0da134a241b3ababd08e175e9e5ac46297f8084217b3602a061f178d217d0ccdad123781a05de432

  • SSDEEP

    3072:WXNbSeSOqi+rKfA6vmg35SqxD7IFr5jadTC2mt9Y/mfouJOxk9Mkapb:+Ii+rKfAfTqt8l5ep8AY+p

  Score

  10^/10

  lummasmokeloaderbackdoorcollectiondiscoverypersistencespywarestealertrojan

  • Detects Smokeloader packer

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Sets service image path in registry

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1