Extracted

• • Target

    9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5

  • Size

    206KB

  • MD5

    27563a743a23dadb84bb9b8eca509df7

  • SHA1

    38914555fc792f4e97f72ec7ad3420ca27b47d8d

  • SHA256

    9a36773bd13dc8187152f1b6eda52ab2e9b375746d6d7ff40db7bc230dde55a5

  • SHA512

    a2ba7353061b8a97a80addc1d96952e0b168f32eb765444e0cfaa1f18fbcf27359df91438c9dbbc922f97c79a7b679091c6afc887b2d423738360f50b1f6f094

  • SSDEEP

    3072:nXwM1MIy56tTQzB5XABqfz0seijbK+wpi1ARRxxwHRiQapb:XUIy56WzrXz8qK3kRKp

  Score

  10^/10

  lummasmokeloaderbackdoorcollectiondiscoverypersistencespywarestealertrojan

  • Detects Smokeloader packer

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Sets service image path in registry

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1