My Short Analysis - Redline Infostealer

By on

 



In this write up, Let's tear up a specific sample of Infostealer malware and deep dive into some of its functions. This is just short analysis of Redline Infostealer malware and it is intended for educational and entertainment purposes only. The reason for picking up this sample is because of its significant and rampant in the cybercrime ecosystem. One of the most common and prolific malware stealers out there in the wild. Distributed in the cybercrime marketplace and the dark web. So, without further ado let's take a look on this malware and unravel some of its functions.



Executive Summary:
RedLine Stealer is a malicious program that harvest users’ confidential data from browsers, systems, installed software, credit card information and domain information of enterprise environment. It also infects operating systems with other malware. Distributed in underground forums for sale as standalone ($100/$150 depending on the version) or on a subscription basis ($100/month). This malware gathers system inventory taken on a target machine, includes details such as the username, hostname, domain information, location data, screen captures, hardware configuration, and information regarding installed security softwares.



Context:

Due to significant and rampant distribution of this malware and high volume of machines it got infected, I decided to take a quick dive into the inners of what this malware does once it infects a machine. Another reason being is for educational purposes to enforce my learning curve analysing and reversing malwares as IR. It is worth noting that Infostealer malware is one of the most underappreciated cyberthreats today as compared to Ransomware, Zero-day exploits, DDoS, etc. but it is widely commoditized by cyber criminials selling leaked credentials, corporate access, credit card information, crypto wallets, etc in the dark web.


Mcafee telemetry data shows this malware is very prevalent, reaching North America, South America, Europe, Australia and Asia.




Virustotal:



High-Level Behaviour Analysis:



Upon executing the binary in x64 debugger, the command prompt window pop-up.



The binary spawns conhost.exe which return function 0xffffffff



Per Microsoft post, it explained the execution to be affiliated with, "If there is no session attached to the physical console, (for example, if the physical console session is in the process of being attached or detached), this function returns 0xFFFFFFFF."

The exit code value of 0xFFFFFFFF indicates that the job has encountered a system error or a low-level exception that is not being handled properly

In this section, we can hypothesize the binary was not able to contact its C2 server as it is being run in a controlled environment thus returned the 0xxFFFFFFFF exit code.


Malware Binary Details:

sha256,884924AFC0439B4E22B26D0C4DA697C45A046BE0DB62516A3C7455AD1C6FEA11

sha1: d97ad0daadfd81192dd6fcb48860320c46f4f2ef  

md5,EB05E7B7A6682AFF1A8BCC27F76B55B7

file-size,550912 bytes

compiler-stamp,Fri Jan 20 10:38:57 2068


Static Analysis:

Strings:

URL,65.21.79.150:27667

QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

System.Drawing.Size

width

height

OPEN_EXISTING

TRUNCATE_EXSTING

STATUS_INFO_LENGTH_MISMATCH

FILE_FLAG_WRITE_THROUGH

MultiplyH

get_ASCII

FILE_ATTRIBUTE_NORMAL

FILE_FLAG_OPEN_NO_CALL

FILE_ATTRIBUTE_SYSTEM

FILE_FLAG_SEQUENTIAL_SCAN

FILE_ATTRIBUTE_HIDDEN

FILE_BEGIN

BCRYPT_INIT_AUTH_MODE_INFO_VERSION

get_JSON

FromJSON

ToJSON

FILE_FLAG_DELETE_ON

BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO

BCRYPT_OAEP_PADDING_INFO

BCRYPT_PSS_PADDING_INFO

CryptoStreamMode

X509CertificateValidationMode

set_CertificateValidationMode

Spulebane.exe

X509CertificateRecipientClientCredential

Bitmap

FromHbitmap

MessageSecurityOverTcp

Sleep

AccountDetails

get_Controls

ListOfPrograms

System.Windows.Forms

ParseDiscordTokens

domains

Rubaiyat App

Assembly Version

37.40.78.0



Import Address Table:

WebClient,System.Net,x,network,T1011 | Network Exfiltration,TypeRef,-,mscoree.dll

WebHeaderCollection,System.Net,x,network,T1011 | Network Exfiltration,TypeRef,-,mscoree.dll

UnicastIPAddressInformationCollection,System.Net.NetworkInformation,x,network,-,TypeRef,-,mscoree.dll

UnicastIPAddressInformation,System.Net.NetworkInformation,x,network,-,TypeRef,-,mscoree.dll

IPInterfaceProperties,System.Net.NetworkInformation,x,network,-,TypeRef,-,mscoree.dll

IPAddressInformation,System.Net.NetworkInformation,x,network,-,TypeRef,-,mscoree.dll

IPAddress,System.Net,x,network,T1011 | Network Exfiltration,TypeRef,-,mscoree.dll

AddressFamily,System.Net.Sockets,x,network,-,TypeRef,-,mscoree.dll

WebRequest,System.Net,x,network,T1011 | Network Exfiltration,TypeRef,-,mscoree.dll

WebResponse,System.Net,x,network,T1011 | Network Exfiltration,TypeRef,-,mscoree.dll

MemoryStream,System.IO,x,memory,T1055 | Process Injection,TypeRef,-,mscoree.dll

CreateProcess,-,x,execution,T1106 | Execution through API,Field,-,mscoree.dll

HMAC,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

MD5,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

MD5CryptoServiceProvider,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

HashAlgorithm,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

SHA1CryptoServiceProvider,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

HMACSHA1,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

SHA1Managed,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

CryptoStream,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

TripleDESCryptoServiceProvider,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

ICryptoTransform,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

SymmetricAlgorithm,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

CipherMode,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

PaddingMode,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

CryptoStreamMode,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

Aes,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

AesManaged,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

HMACSHA256,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll

KeyedHashAlgorithm,System.Security.Cryptography,x,cryptography,T1001 | Data Obfuscation,TypeRef,-,mscoree.dll



Behavior Activities:

Queries the Language settings of current user:



Queries the .nls extension which stands for "National Language Support" and indicates that this file contains language-specific or localization-related data.



Queries the settings and configuration information related to the user's local environment, particularly concerning file associations, temporary files, and other local settings.



Reads the machine GUID from the registry



Reads the Computer Name



Query the Winsock settings in Registry





Dynamic Analysis:

Reads Machine Language Configuration of infected machine



Create's File:

C:\Windows\System32\MSCOREE.DLL.local

C:\Users\mrobot\Desktop\redline.exe.config

C:\Users\mrobot\Desktop\CRYPTBASE.dll



Read's Hidden/Administrative/System Folder or File

C:\$Directory



Network Indicators:




Reverse engineering the binary in dnSpy unravel the following IOCs

Callback Routine Function

This code snippet appears to be part of a malware routine that attempts to establish some kind of connection or perform an operation repeatedly until it succeeds, handling any exceptions by retrying indefinitely. The use of IP address 65[.]21[.]79[.]150:27667 suggests it might be trying to connect to a remote server.



Collects Browser Information Function



Collects the list of Installed Programs



Collects list of Process Function



Gather Graphic Card Information Function



Collects Processor Information



Gathers default IP Address Function



Encryption Mechanism Function



Device Monitor Function which captures screen of infected machine and sends to Callback server




Indicators Of Compromise:

Spulebane.exe

sha256,884924AFC0439B4E22B26D0C4DA697C45A046BE0DB62516A3C7455AD1C6FEA11

sha1: d97ad0daadfd81192dd6fcb48860320c46f4f2ef  

md5,EB05E7B7A6682AFF1A8BCC27F76B55B7

Rubaiyat App

65.21.79.150:27667



Yara Rules:

Sample Yara Rule

rule Redline_InfoStealer

{

    meta:

        description = "Detects Redline InfoStealer malware based on specific IOCs"

        author = "Lendon_Test"

        date = "2024-06-12"

        version = "1.0"


    strings:

        $filename = "Spulebane.exe"

        $sha256 = "884924AFC0439B4E22B26D0C4DA697C45A046BE0DB62516A3C7455AD1C6FEA11"

        $sha1 = "d97ad0daadfd81192dd6fcb48860320c46f4f2ef"

        $md5 = "EB05E7B7A6682AFF1A8BCC27F76B55B7"

        $app_name = "Rubaiyat App"

        $ip_address = "65.21.79.150:27667"


    condition:

        $filename or $sha256 or $sha1 or $md5 or $app_name or $ip_address

}



Conclusion:

Redline Infostealer represents a significant threat to both individual users and organizations due to its ability to stealthily collect and exfiltrate sensitive information. The sample analyzed in this write-up exhibits typical behaviors associated with this malware family - sophisticated data harvesting. Effective defense against Redline Infostealer involves a combination of user education, advanced security solutions, and vigilant network monitoring.


By understanding the characteristics and behaviors of Redline Infostealer, cybersecurity professionals can better protect their environments from this and similar threats.


And hey! :) If you are still reading until this part! Thanks for staying. :) I am looking forward to make a comprehensive and in-depth analysis of this malware in the future - of course, if time permits, and if not this malware, will find some interesting one. :) so stay tuned!


Comments

Post a Comment

Popular posts from this blog

GOAD Active Directory LAB Setup on a Windows host

By on
Image
 In this write-up, I am going to explain how I set up the GOAD Active directory lab from my Windows host using VMware, along with a number of errors and steps and procedure I went through how I fixed them. GOAD (Game of Active Directory) lab is created by Orange Cyberdefense to provide pentesters a ready-to-use, vulnerable AD environment in which to practise common attack methods. As described in the Github page, “the lab is intended to be installed from a Linux host”, but it is still possible to successfully install the lab from a Windows host. I did not want to install the lab inside a virtual Ubuntu machine, as nested virtualisation would slow down performance too much. On high level, my setup will look like: Windows host: with Vagrant installed to run the VMs on VMware. VMware Pro: with Ubuntu 22.04 VM installed to run ansible playbooks to make the AD vulnerable. In this environment, there are two different available labs: GOAD : 5 vms, 2 forests, 3 domains (full goad lab) GOAD...
Read more

Regular expressions - Notes

By on
Image
  Regular expressions - Notes Introduction What are regular expressions? Regular expressions (or Regex) are patterns of text that you define to search documents and match exactly what you're looking for. Why should I learn how to use them? Even if you won't need them sooner or later, it's a great tool to know how to use. It will make you more capable in CTF's, and potentially a better developer if that's a goal you have. You spend a little time learning it and save yourself lots of time in the long run by using it. I know all that, but I'm lazy. This is a lazy person's tutorial. There's a little reading, and then you  learn by doing . Where's the 'Deploy' button? There's no machine to deploy.  There are two ways to test your expressions. Either: create a text file with some test paragraphs (in a Unix machine) and then use  egrep <pattern> <file>  to see what matches and what doesn't, or use an online editor like  https://r...
Read more