Extracted

Extracted

Extracted

Extracted

• • Target

    calc.exe

  • Size

    44KB

  • MD5

    2f82623f9523c0d167862cad0eff6806

  • SHA1

    5d77804b87735e66d7d1e263c31c4ef010f16153

  • SHA256

    9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb

  • SHA512

    7fe8285e52355f2e53650dc4176f62299b8185ed7188850e0a566ddef7e77e1e88511bdcf6f478c938acef3d61d8b269e218970134e1ffc5581f8c7be750c330

  • SSDEEP

    384:OtF1XO9GxgL7ol+WSvYWCiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiiiriM:QOOgL7E4r

  Score

  10^/10

  gurcuredlinesmokeloaderpub2rocketbackdoordiscoveryinfostealerspywarestealertrojanupx

  • Gurcu

    Gurcu stealer is a malware written in C#.

    stealergurcu

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Uses the VBS compiler for execution

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2