The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware | FortiGuard LabsĀ 
Tags
cmtmf-attack-pattern: Application Layer Protocol Command And Scripting Interpreter Process Injection
maec-delivery-vectors: Watering Hole
attack-pattern: Data Datasets Application Layer Protocol - T1437 Clipboard Data - T1414 Command And Scripting Interpreter - T1623 Dns - T1071.004 Dns - T1590.002 Exfiltration Over C2 Channel - T1646 Exfiltration Over Web Service - T1567 File And Directory Discovery - T1420 Gather Victim Host Information - T1592 Indicator Removal On Host - T1630 Input Capture - T1417 Internal Proxy - T1090.001 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 System Information Discovery - T1426 Powershell - T1059.001 Process Injection - T1631 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Software - T1592.002 System Services - T1569 Windows Command Shell - T1059.003 Timestomp - T1070.006 Web Protocols - T1071.001 Web Protocols - T1437.001 Tool - T1588.002 Standard Application Layer Protocol - T1071 Clipboard Data - T1115 Command-Line Interface - T1059 Connection Proxy - T1090 Data Encoding - T1132 Deobfuscate/Decode Files Or Information - T1140 Exfiltration Over Command And Control Channel - T1041 File And Directory Discovery - T1083 Indicator Removal On Host - T1070 Input Capture - T1056 Modify Registry - T1112 Powershell - T1086 Process Injection - T1055 Rundll32 - T1085 Service Execution - T1035 System Information Discovery - T1082 Timestomp - T1099 Indicator Removal On Host
Show in Graph
Common Information
Type Value
UUID 59bebb92-d3b9-4690-8e52-980b4092e213
Fingerprint 2c5c1571c632a8d9
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 25, 2022, midnight
Added to db Sept. 11, 2022, 12:38 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware
Title The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware | FortiGuard LabsĀ 
Detected Hints/Tags/Attributes 114/3/104
Source URLs
Redirection Url
Details Source https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware
URL Provider
Details Provider Source level domain
Details fortinet.com www.fortinet.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
taboola.com
Details Domain 6 
s-microsoft.com
Details Domain 2 
gmy.cimadlicks.net
Details Domain 2 
app.tomelife.com
Details Domain 2 
community.weblives.net
Details File 1018 
rundll32.exe
Details File 3 
sdc-integrity.dat
Details File 2 
sntpservice.dll
Details File 55 
msdtc.exe
Details File 1122 
svchost.exe
Details File 2 
scs-integrity.dat
Details File 1 
avpcon.dll
Details File 1260 
explorer.exe
Details File 2 
c:\windows\sndvolsso.dll
Details File 1 
c:\users\minh\appdata\local\onedrive\cache.dat
Details File 2 
c:\programdata\users.inf
Details File 4 
cache.dat
Details File 1208 
powershell.exe
Details File 7 
7zr.exe
Details File 7 
c:\windows\system32\wlbsctrl.dll
Details File 2 
c:\windows\system32\ikeext2.dll
Details File 2 
c:\windows\system32\d6w48ttth.dll
Details File 2 
c:\windows\system32\shsvc.dll
Details File 2 
c:\windows\system32\netcsvc.dll
Details File 2 
c:\windows\system32\fc2qhm7r9.dll
Details File 2 
svrldr_xpsservices.dll
Details File 2 
timedateapi.dll
Details File 12 
msfte.dll
Details File 2 
wsecapi.dll
Details File 2 
c:\programdata\microsoft\svchost.exe
Details File 2 
nvstreamer.dll
Details File 2 
helpsvc32.dll
Details File 2 
svcldr64.dll
Details File 2 
dataoper64.dll
Details File 2 
%localappdata%\onedrive\cache.dat
Details File 2 
c:\programdata\security_checker\sc.dll
Details File 2 
c:\programdata\xps viewer\xpsservices.dll
Details File 2 
msado28.dll
Details File 2 
c:\programdata\networks.dat
Details File 2 
c:\programdata\microsoft\crypto\rsa\keys.dat
Details File 1 
sds-integrity.dat
Details sha256 2 
1af5252cadbe8cef16b4d73d4c4886ee9cecddd3625e28a59b59773f5a2a9f7f
Details sha256 2 
a6f75af45c331a3fac8d2ce010969f4954e8480cbe9f9ea19ce3c51c44d17e98
Details sha256 1 
c4efb58723fd75d51eb92302fbd7541e4462f438282582b5efa3c6c7685e69fd
Details sha256 1 
edb14233eccb5b6e2d731831e7b18b8b17ea6a3f8925fb5899ce2ef985a66b68
Details sha256 1 
fdf0db7f6b60d7563268c15c634adb47e8eec34adfcbf9b10e973916c7517157
Details sha256 1 
c7481d6975646b605aba3fb11686e34ee205f7e280069e9d5bf0c1c2eca79be8
Details sha256 1 
0f7af0cad4aade0e7058051a449059b35358ddda075d88b2d289625adc02deef
Details sha256 1 
3cb4887bec169c75f58bc4ed1c6fd3703cc46512596e62186cf8329448dbb47b
Details sha256 1 
cb954f06c94493c87f25651271657aeb1e3e24f26b6552d3e616bbc2dc660679
Details sha256 1 
78feb564c4f6c240ddb17dd0f49ae96df04ee594ed24df81f583136fccf60c1d
Details sha256 1 
bc91a4fb16f14fb1c436c2bdc7c80b87a02caa5de17897614d07bc7bda200590
Details sha256 1 
7edd7d406159ab0eecb22ddbd6060de7c24a4eb0b61fa527935310b94d3b9db4
Details sha256 1 
b02b8b6c3d517c6b8652b898963068ba12cd360b5cdcf0aad5fe6ff64f0e9920
Details sha256 1 
ec164902cbe8daaa88ae923719c5dac900715f3e32d4cea6e71ca04c7cecf3e2
Details sha256 1 
bac4b50727c69ca7cc3c0a926bb1b75418a8a0eabd369a4f7118bb9bba880e06
Details sha256 1 
69a9ab243011f95b0a1611f7d3c333eb32aee45e74613a6cddf7bcb19f51c8ab
Details sha256 1 
579fa00bc212a3784d523f8ddd0cfc118f51ca926d8f7ea2eb6e27157ec61260
Details sha256 1 
8ff18b6fb5fe4f221cd1df145a938c57bdd399dc24e1847b0dc84a7b8231458f
Details sha256 1 
f97161aaa383e51b2b259bb618862a3a5163e1b8257832a289c72a677adec421
Details sha256 1 
d3647a6670cae4ff413caf9134c7b22b211cb73a172fc1aa6a25b88ff3657597
Details sha256 1 
f5cd13b2402190ec73c526116abea5ebab7bd94bcdb68cc2af4f3b75a69ba9c5
Details sha256 2 
a15eda7c75cf4aa14182c3d44dc492957e9a9569e2d318881e5705da2b882324
Details sha256 2 
967e8063bd9925c2c8dd80d86a6b01deb5af54e44825547a60c48528fb5f896d
Details sha256 2 
64f036f98aad41185163cb328636788a8c6b4e1082ae336dad42b79617e4813d
Details sha256 1 
7b838fcad7a773bfd8bc26a70f986983553d78b4983d0f2002174f5e56f7f521
Details sha256 1 
40fda8137d8464d61240314b6de00ae5c14ed52019e03e4dcadfc00b32c89d23
Details sha256 1 
5dee99beb0b6ba1ebdb64515be1d9307262d9b57b0900310d57290dca40bb427
Details sha256 1 
6b70ad053497f15b0d4b51b5edabeced3077dddb71b28346df7c7ea18c11fcdf
Details sha256 1 
852c98a6fbd489133411848775c19a2525274eac9a89a09a09d511915c7cbafc
Details IPv4 3 
193.0.14.129
Details IPv4 295 
8.8.8.8
Details IPv4 2 
23.91.108.12
Details MITRE ATT&CK Techniques 174 
T1569.002
Details MITRE ATT&CK Techniques 440 
T1055
Details MITRE ATT&CK Techniques 550 
T1112
Details MITRE ATT&CK Techniques 126 
T1567
Details MITRE ATT&CK Techniques 422 
T1041
Details MITRE ATT&CK Techniques 96 
T1132
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 504 
T1140
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 118 
T1056.001
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 82 
T1115
Details MITRE ATT&CK Techniques 50 
T1592
Details MITRE ATT&CK Techniques 35 
T1090.001
Details MITRE ATT&CK Techniques 93 
T1070.006
Details Windows Registry Key 1 
HKCU\Software\OIfkO2i1
Details Windows Registry Key 1 
HKCU\Software\kuhO6Ba0kT
Details Windows Registry Key 33 
HKLM\SYSTEM\CurrentControlSet\Services
Details Windows Registry Key 2 
HKCR\.rat\PersistentHandler\TypeFace
Details Windows Registry Key 2 
HKCR\.rat\PersistentHandler\MagicNumber
Details Windows Registry Key 2 
HKCU\Software\F32xhfHX
Details Windows Registry Key 2 
HKCR\.c\Type\Type00
Details Windows Registry Key 2 
HKCR\.z\OpenWithProgidsEx
Details Windows Registry Key 2 
HKCR\.z\OpenWithListEx
Details Windows Registry Key 2 
HKCR\.sbr\Order
Details Windows Registry Key 2 
HKCR\.sbr\StartOverride
Details Windows Registry Key 2 
HKCR\.3gp2\Perceived-Type
Details Windows Registry Key 2 
HKCR\.3gp2\Content-Type
Details Windows Registry Key 2 
HKCU\Software\Microsoft\FTP\MostRecentApplication
Details Windows Registry Key 2 
HKCU\Software\Microsoft\FTP\UserInfo