Extracted

• • Target

    d5f744e39a1c58cdc50018233882c5cb2762ceba9fefad7fbb623dfe548b7dce

  • Size

    207KB

  • MD5

    9d7d6a09952da6397ff7d3b6fcb604c3

  • SHA1

    8c87a053685db523cc629f737cca8296de9cb5db

  • SHA256

    d5f744e39a1c58cdc50018233882c5cb2762ceba9fefad7fbb623dfe548b7dce

  • SHA512

    21c062272f367a42b1b10ec96061c47bb7cf2279678e25e73abb490da290cb92f4670d1a9651b3f07d9ea8eac4ceb8a69c5bf360f9803a8e2d7adf5afa87fd4b

  • SSDEEP

    3072:kXtlfKYYlomI5Og5K76G9Hyj/npg0WKa0AkSVL4hi:gfh5Jm9oxERhkS

  Score

  10^/10

  lummasmokeloaderbackdoorcollectiondiscoverypersistencespywarestealertrojan

  • Detects Smokeloader packer

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Sets service image path in registry

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1