Extracted

Extracted

• • Target

    deflated-gimp-2.10.32.-setup-1.exe

  • Size

    217KB

  • MD5

    009d70132e15d6f0bf593da170f0b7b0

  • SHA1

    5a1bd8f31059de4e46778510fffd23c87bc32740

  • SHA256

    af8ea2ae4917c68825f1c60f3900634cc7c2d3d2de079215f1aacf116841418c

  • SHA512

    5192b9c860b4e10a329b181f4419cd7443f602ec9174d9c538e0843d10e59e4472df0e1b2a6572d96f89ad061eb1f6ea6240c8dd11d860664f93500dbee4824d

  • SSDEEP

    3072:uI71VdaROKutNI6mKR0QHTT1Xm4B1jj0hhih3GD2xvwN64u/KKR7:uInda0KuksNzB1jjAoGD2lww4V

  Score

  10^/10

  purecrypterredlineredlinediscoverydownloaderinfostealerloaderpersistencespywarestealeraurora

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

    stealeraurora

  • Detect PureCrypter injector

    loader

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2