Extracted

Extracted

Extracted

• • Target

    cf5fa96f42120ec1a33fac86ac171e1fe669b05b2e35b51e2e24249650f9a2b8.exe

  • Size

    285KB

  • MD5

    09d0e438a6a8666361559becb0359e5f

  • SHA1

    2a870a63e10c2df1b3b86e16f779b016bb5a9613

  • SHA256

    cf5fa96f42120ec1a33fac86ac171e1fe669b05b2e35b51e2e24249650f9a2b8

  • SHA512

    aa632e26621a1e4cc7807d69432a201d6b7eb67b1f5457d9c682b97bbbd15beabe25c4f6101bbeca8ae8fd209aa3ad8b636968ed8e945d0971b90d61287456a3

  • SSDEEP

    6144:RaB7QKCdaGjwphcO7KKgKPQczi3O7qOLntCUesY5e74dEO:o7QKCAGB7Js42Y5e74dEO

  Score

  10^/10

  lummaredlinesectoprat7772121777scarletdiscoveryinfostealerpersistenceratspywarestealertrojan

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2