Showing posts with label redline. Show all posts
Showing posts with label redline. Show all posts

Thursday, February 16, 2023

Redline Malware Malware Analysis Feb 16 2023

Started with this redline malware sample 

https://www.joesandbox.com/analysis/808971/0/html

Which the sandbox says dumps a bunch of child-processes and eventually drops these 2 payloads

AV killer

https://www.virustotal.com/gui/file/850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

Healer.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0

SHA-1 421a7167da01c8da4dc4d5234ca3dd84e319e762



Infostealer

https://www.virustotal.com/gui/file/dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3 

The Infostealer looks a lot like this blog ( https://securityscorecard.com/research/detailed-analysis-redline-stealer/ )

Franchise.exe

MD5 dd0c9e110c68ce1fa5308979ef718f7b

SHA-1 473deb8069f0841d47b74b7f414dacc6f96eca78


C2: 193.233.20.13:4136


It is stored in a self extracting .CAB file (microsoft cabinet)

It unpacks itself 4 times actually before we finally see the payload.

Each time the child .CAB file is stored in a Resource named "CABINET"

Each time there is 2 .exes inside the .CAB .

Each of the repeated dumps the "RUNPROGRAM" resource launches another child .CAB extractor.







Eventually though on the last extract it's 2 .NET executables instead of X86 and .CAB extrator.



The first .NET executable is an AV killer that turns off defender, windows updates, etc.



The 2nd .nET executable is the infostealer that grabs wallets, vpn , discord, and much more








                                            
There are some Russian characters and nearby region country names



There is also code for the c2 command and control traffic that is Xor'd with a key "Sigma" and base64 encoded. 193.233.20.13:4136











Posted by at 3 comments:
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)