Extracted

Extracted

• • Target

    22f33dea86638b485e3d53e50b3f646e904be95d4ca16f3bac3b8a38c81c5bb1

  • Size

    239KB

  • MD5

    448a585c9a4a6f561af40866684dea09

  • SHA1

    84f70bf3f53803a56b2e3d0e28e3b9101b3eb82a

  • SHA256

    22f33dea86638b485e3d53e50b3f646e904be95d4ca16f3bac3b8a38c81c5bb1

  • SHA512

    05402410f640b4c5a76c1a034867dc83eefad6e4167830aa2e2be2cc1a51d171377c2bc15369a1fce457b42353693abd64fa571a1aaf2bf950d276839c64aa99

  • SSDEEP

    6144:2D46fuYXChoQTjlFgLuCY1dRuAOQcZYLQw8y0:2MYzXChdTbv1bu1qLQw8y

  Score

  10^/10

  phobosredlinesmokeloaderup3backdoorgooglecollectiondiscoveryinfostealerphishingransomwarespywarestealertrojan

  • Detected google phishing page

    phishinggoogle

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1