Extracted

• • Target

    god jab.png

  • Size

    685KB

  • MD5

    cb3e014d6122af3b43933bb571859ae7

  • SHA1

    a2936b702298dd773b8773903f3ce98399738d1f

  • SHA256

    8f5c4bc356f2c00fcad015da8e52ca6173387edc93c75ae8c0c8fcf467283c2a

  • SHA512

    7f6effef5cca34130c8bad47fbe502f5c91d1fb4d2d6828c3efde1733fbcd7ae52a7df897cde509ff8428d5fac19b3a1ab4854c6ca3f1bc362445e36d2412d1e

  • SSDEEP

    12288:tg6zFAoqmcjAPSRwWike2c6/MK+5qDcRC39ikyVEJQ+zFobsV:KCCbntRwWYvj4cy5yKzFobk

  Score

  10^/10

  lummapurelogsadwarediscoveryevasionmacropersistencespywarestealertrojanupx

  • Detect PureLogs payload

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma

  • PureLogs

    PureLogs is an infostealer written in C#.

    stealerpurelogs

  • Contacts a large (573) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Creates new service(s)

    persistence

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Stops running service(s)

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Registers COM server for autorun

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks for any installed AV software in registry

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Document created with cracked Office version

    Office document contains Grizli777 string known to be caused by using a cracked version of the software.

    macro

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1