Extracted

Extracted

• • Target

    13e73d2d887d4795826e1b67a01d85eba735fc4bb69d5149b5e94ef9ba3764b3

  • Size

    4.0MB

  • MD5

    b39d30d98988ced35553febddd654fa1

  • SHA1

    68e26d3ce991ce8b0047f319c50b501cf25ae1b6

  • SHA256

    13e73d2d887d4795826e1b67a01d85eba735fc4bb69d5149b5e94ef9ba3764b3

  • SHA512

    3226a7624a9cceb1fec416da8f6fcf7838a351c4bd7f5d87147ae8130e6efe19608f21918df51329755326e48a9bdee872cd10bafdb7d8f9dd186cf75e8fd3ef

  • SSDEEP

    98304:HYMeRQg6dSsn4zsZtNijfpYS7SEawe1BrTkB8:4Mq6JZtY9M1BX

  Score

  10^/10

  bitratsmokeloaderbackdoorcollectionpersistencetrojanvmprotect

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2