Extracted

Extracted

• • Target

    whites1213.exe

  • Size

    7.9MB

  • MD5

    8398fc4aa3a5a5ab6ae7ed394b449d0a

  • SHA1

    820ce4bb8eb51e31effa41e6829e84089b728760

  • SHA256

    f25fab3f64bad2cd989035dd854b761fe06b97e76291bd180991d21d91ea5c22

  • SHA512

    a44ff33aa8b477ee8a2bae6a3ac93da85df9a5fdf906baaa54b2513396df94b304bc626159e4d95561097bd3d112826e4254069320fc95f3fc167d9350234c61

  • SSDEEP

    98304:mHZ28VaNl6GdtOjCiEj5P6pziE5Psj1ZC/bIMqiiTpYXHQtG5nuPAUV:m6ThtSpeqso4iKG5n

  Score

  10^/10

  cryptbotlummadefense_evasiondiscoveryspywarestealeradwarepersistenceprivilege_escalation

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • Cryptbot family

    cryptbot

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Enumerates VirtualBox registry keys

    defense_evasion

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  behavioral1behavioral2behavioral3