General

  • Target

    ReturnSouls.rar

  • Size

    73.5MB

  • Sample

    240508-3b7w6afe63

  • MD5

    8c8b1956c19c6bb3df42ec766e9073b3

  • SHA1

    fca6f4f4b15bf98ac910a5b6cc1ce9282dc6776f

  • SHA256

    5104e9e1fab191cabfd84c3ec58a55ccdf5cd9fb5a9c635417106b1705655717

  • SHA512

    5b36ce642eee744d931ac41bb60987d97e4e019d46e6d330b27e291b25e45de57950a7c8fd420d310b866ab8bdc363b6ba9a7e9198a9547b6e832b7f8ae44ef6

  • SSDEEP

    1572864:g/J39KNRL9MXPoB8ceyIS7nqYdd6hIEhSmnJZxRByuyXFPj:gqN19Mfo/vP7nMhJnzxRB5yXdj

Malware Config

Targets

    • Target

      ReturnSouls.exe

    • Size

      73.5MB

    • MD5

      0d236beb0146f2f90033bd92a74c5e07

    • SHA1

      54becc593bd5cc2e5504e39c4552073901d0562f

    • SHA256

      24f10f5416bbce596e8de56981fc5972bcef0c0062275ce0b9543adea13a42f6

    • SHA512

      9115ad3875e44572482cfef3f918d579e0d40fa0050d99c194dfb8101cee5c1e46840cd98e79783d82749ac3730193b3b6f11ae2d522fb82a62a475e783fc3f0

    • SSDEEP

      1572864:G/J39KNRL9MXPoB8ceyIS7nqYdd6hIEhSmnJZxRByuyXFPJ:GqN19Mfo/vP7nMhJnzxRB5yXdJ

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

MITRE ATT&CK Enterprise v15

Tasks