Extracted

• • Target

    18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3

  • Size

    210KB

  • MD5

    ebd42ae578479719653b35c33554ccc5

  • SHA1

    da79aceadb98f5198c218438e1ff13900b206ec9

  • SHA256

    18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3

  • SHA512

    0eaf3f62705ddab16e14a077bc29c52b22a99dd9b2212dcd0aeec9d92843b79b65bdde3b14a9170fc424aace760a6c80970916547039fa697814e7be639c1f12

  • SSDEEP

    1536:gMQuk7EPCnpn2XcxezpkQYCPt9ldnXEp6Zd5X581Z1EnVx7C0NDuYHCx3IkwLuTy:gMXWEo+/hd5p73762CxYXSNti

  Score

  10^/10

  lummasmokeloaderbackdoorcollectiondiscoverypersistencespywarestealertrojan

  • Detects Smokeloader packer

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Sets service image path in registry

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1