Thursday, February 16, 2023

Redline Malware Malware Analysis Feb 16 2023

Started with this redline malware sample

Which the sandbox says dumps a bunch of child-processes and eventually drops these 2 payloads

AV killer


MD5 7e93bacbbc33e6652e147e7fe07572a0

SHA-1 421a7167da01c8da4dc4d5234ca3dd84e319e762


The Infostealer looks a lot like this blog ( )


MD5 dd0c9e110c68ce1fa5308979ef718f7b

SHA-1 473deb8069f0841d47b74b7f414dacc6f96eca78


It is stored in a self extracting .CAB file (microsoft cabinet)

It unpacks itself 4 times actually before we finally see the payload.

Each time the child .CAB file is stored in a Resource named "CABINET"

Each time there is 2 .exes inside the .CAB .

Each of the repeated dumps the "RUNPROGRAM" resource launches another child .CAB extractor.

Eventually though on the last extract it's 2 .NET executables instead of X86 and .CAB extrator.

The first .NET executable is an AV killer that turns off defender, windows updates, etc.

The 2nd .nET executable is the infostealer that grabs wallets, vpn , discord, and much more

There are some Russian characters and nearby region country names

There is also code for the c2 command and control traffic that is Xor'd with a key "Sigma" and base64 encoded.

CAB files FDICreate FDICopy

 call ds:__imp__FDICreate (creates context for extracting Microsoft .CAB Cabinet files)


push offset pszCabPath 

call ds:__imp__FDICopy

You should see memory for the Cabinet (or CAB archive-file format) recognized by their first four bytes (also called their magic number) MSCF

After the FDICopy you'll see extracted files (possibly .exe malware) in the file path that was in pszCabPath

FindResourceA 0xa

 v0 = FindResourceA(0, "UPROMPT", (LPCSTR)0xA);


push 0xA ; lpType

push edi ; lpName

push 0 ; hModule

call ds:__imp__FindresourceA@12

This is grabbing a handle to a resource string from RCData with the name "UPROMPT" (you can see this in resource hacker)  ... please note it'll follow by using "LoadResourceA" to actually get the string value and put it into EAX

0xA = 10 = RT_RCDATA = Application-defined resource (raw data)

0 for hModule = use this current executable's resources

pointer to the resulting string is put into eax

Wednesday, February 15, 2023

Packer Process Injection - CreateProcessInternalW CREATE_SUSPENDED


CreationFlags: CREATE_SUSPENDED 0x00000004

Malware creating a process in a suspended state

typically from a packer and process injection

it has unpacked code and is injecting it into a user process

will be followed with calls like 




WriteProcessMemory ('MZ')



to edit memory of suspended process and inject the malicious code




in malware that almost always means "injected code"

Tuesday, February 14, 2023

IDA Pro - The graph is too big (more than 1000 nodes)

 IDA Pro error

The graph is too big (more than 1000 nodes)

two options as to why the graph is "too big"

1) either it's obfuscated somehow

2) or it's packed

Friday, December 30, 2022

Browser Hijacker LoginAssistantTab

Browser Hijacker HLoginAssistant

establishes persistence in startup