Extracted

• • Target

    file.exe

  • Size

    210KB

  • MD5

    0d0655ac3327465e342c8643e0aec261

  • SHA1

    3b60b63f926a4ef0821bc359858fec339327517f

  • SHA256

    19533506a74a8fd80ba932ca930c0805d0f69095d5820683ff757785dbb4359e

  • SHA512

    1b00d21f5de948ef4d5be4a5593eb9a83dcccb84d1bd5ded3c2846a606e731f8d14074cfaaa5511c0a57651239de1870bab314ff5f8fea56022c2b3bc878f970

  • SSDEEP

    3072:rMX15/9Gxad5gWGzaBUOxqNk7EWVRS8Nw4i:rIdGxbaBNx5EsSL

  Score

  10^/10

  smokeloaderbackdoortrojanlummacollectiondiscoverypersistencespywarestealer

  • Detects Smokeloader packer

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Sets service image path in registry

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2