Extracted

• • Target

    ef29810888ad295d69a976e001c5dd3e78d7b53f1ec90b20e5268a7970b8e3bf

  • Size

    206KB

  • MD5

    f302ff4368211d76038d80bf744078fe

  • SHA1

    6f8ab7ae0b5e334eb62b9a14c9a676e2ee8a5e1b

  • SHA256

    ef29810888ad295d69a976e001c5dd3e78d7b53f1ec90b20e5268a7970b8e3bf

  • SHA512

    f88238ecdf4ddf5ba70c693146186b62894899a71503cc9b7e2318ee5dc70307d658a6ad6920c8bc4ca12195fe477b93b17f0a62a246a2a95292f5bfe9c0c81a

  • SSDEEP

    3072:4XtLOx8m1MpuWeHT0M52inxSj1BQtLdaxpdQuNcjMXjxRNQapb:Mox1MpuTAcnxSj1Y6LQuNcjkrp

  Score

  10^/10

  lummasmokeloaderbackdoorcollectiondiscoverypersistencespywarestealertrojan

  • Detects Smokeloader packer

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Sets service image path in registry

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1