Have Any Questions?
Call Now +91 94038 90283
Reports.

Malware Red Stealer

Introduction

While there is always a fuss about Ransomwares, we ignore other malwares which may finally lead to Ransomware. Attackers can use information stealers like AgentTesla, Formbook, RedlineStealer, RacoonStealer etc to gather credentials about your organization and then use the credentials to compromise your infrastructure and then install a Ransomware. In this blog we would talk about RedlineStealer which is one of the top malware families on Malwarebazaar Statistics after Mirai Botnet(Linux Malware) and GandCrab Ransomware.

Figure 1: Malwarebazaar statistics

Redline Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month).

Here are some key information which the malware might try to steal from the victim machine:


Credentials saved in browsers
Autocomplete data in browsers
Credit card information saved in browsers
User name of the victim
Hardware configuration
Location
Credentials saved in FTP Clients
Cryptocurrency Wallets
Credentials and other information stored on Instant Messengers

Apart from stealing the information, the malware is capable of downloading other malwares which may be ransomwares, executing commands and periodically sending information about the victim machine to the CnC server.

This article talks about one of the latest
Sample used : 9d1c9f9724947cf794f142b09aeccc75
Source : MalwareBazaar

While debugging through the top layer packer, we discovered some anti-debugging tricks. The following screenshot shows GetTickcount() API which can be used to detect.

Figure : GetTickCount API

We also discovered that the packer uses GetCurrentProcessorNumber() which is able to detect the presence of Virtual machines. Usually any system today uses at least two cores. The API can be used to determine the processor number at any point of time,

Figure : GetCurrentProcessNumber API

RedlineStealer injects code into appLaunch.exe and starts the process.

Figure : AppLaunch process

Figure : Injected Code

Figure : App launch in memory

Next we are going to talk about the payload of unpacked Redline Stealer obtained from the binary.

Unpacked Payload Analysis

The unpacked payload is also a .net file. Below is the screenshot of the file properties in PEStudio.

Figure : Fig: PEStudio

The compile time is misleading in the binary and shows up as Jan 24, 2059. The unpacked sample tries to connect to "litrazalilibe[.]xyz”. Following screenshot shows the DNS queries to the CnC server.

Fig: Queries to the CnC server

Redline malware uses the legitimate web services “transfer[.]sh” to host and fetch the final payload as shown in the figure below. However we couldn’t get the final payload. Query_websrv

Fig: Queries to the CnC server

Looking deeper into the unpacked binary, we could locate the stealer functionality. The malware has used code obfuscation to hide the actual string. The screenshot below shows a function that shows the decompiled code. If you observe the code “LEnvironmentogiEnvironmentn DatEnvironmenta” string gets the Environment string replaced which reduces to Login data. Similarly the other strings resolve to Web Data and cookies.

Fig: Queries to legitimate web services

We further saw similar obfuscation techniques to hide the code from decompilers. Code in the figure 11 shown below created the strings Opera GX Stable and Opera GX which are targetted by the malware.

Fig: Obfuscated code 1

Similarly the below code creates the string “ AppData\\Roaming\\”.

Fig: Obfuscated code 2

Another code shown in the screenshot below resolves to the “Credit card” string..

Fig: Credit card String

It creates a channel which includes a message header value called “023fc6570d8513586ac2cb5e3be2c956 “as shown in the figure below.

Fig: Channel header

It searches for encoded strings with base64 and the strings represent specific wallets as shown in the figure below.

Fig: Wallets encodes strings

Base64 Encoded String
ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV0CmFpaWZibmJmb2JwbWVla2lwaGVlaWppbWRwbmxwZ3BwfFRlcnJhU3RhdGlvbgpmbm5lZ3BobG9iamRwa2hlY2Fwa2lqamRrZ2NqaGtpYnxIYXJtb255V2FsbGV0CmFlYWNoa25tZWZwaGVwY2Npb25ib29oY2tvbm9lZW1nfENvaW45OFdhbGxldApjZ2Vlb2RwZmFnamNlZWZpZWZsbWRmcGhwbGtlbmxma3xUb25DcnlzdGFsCnBkYWRqa2ZrZ2NhZmdiY2VpbWNwYmthbG5mbmVwYm5rfEthcmRpYUNoYWluCmJmbmFlbG1vbWVpbWhscG1nam5qb3BoaHBra29sanBhfFBoYW50b20KZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8T3h5Z2VuCm1nZmZrZmJpZGloanBvYW9tYWpsYmdjaGRkbGljZ3BufFBhbGlXYWxsZXQKYW9ka2thZ25hZGNib2JmcGdnZm5qZW9uZ2VtamJqY2F8Qm9sdFgKa3Bmb3BrZWxtYXBjb2lwZW1mZW5kbWRjZ2huZWdpbW58TGlxdWFsaXR5V2FsbGV0CmhtZW9ibmZuZmNtZGtkY21sYmxnYWdtZnBmYm9pZWFmfFhkZWZpV2FsbGV0CmxwZmNiamtuaWpwZWVpbGxpZm5raWtnbmNpa2dmaGRvfE5hbWlXYWxsZXQKZG5nbWxibGNvZGZvYnBkcGVjYWFkZ2ZiY2dnZmpmbm18TWFpYXJEZUZpV2FsbGV0CmJoZ2hvYW1hcGNkcGJvaHBoaWdvb29hZGRpbnBrYmFpfEF1dGhlbnRpY2F0b3IKb29ramxia2lpamluaHBtbmpmZmNvZmpvbmJmYmdhb2N8VGVtcGxlV2FsbGV0.

Base64 Decoded String
ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet blnieiiffboillknjnepogjhkgnoapac|EqualWallet cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet kncchdigobghenbbaddojjnnaogfppfj|iWallet amkmjjmmflddogmhpjloimipbofnfjih|Wombat fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet aeachknmefphepccionboohckonoeemg|Coin98Wallet cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom fhilaheimglignddkjgofkcbgekhenbh|Oxygen mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet aodkkagnadcbobfpggfnjeongemjbjca|BoltX kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet blnieiiffboillknjnepogjhkgnoapac|EqualWallet cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet kncchdigobghenbbaddojjnnaogfppfj|iWallet amkmjjmmflddogmhpjloimipbofnfjih|Wombat fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet aeachknmefphepccionboohckonoeemg|Coin98Wallet cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom fhilaheimglignddkjgofkcbgekhenbh|Oxygen mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet aodkkagnadcbobfpggfnjeongemjbjca|BoltX kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet bhghoamapcdpbohphigoooaddinpkbai|Authenticator ookjlbkiijinhpmnjffcofjonbfbgaoc|TempleWallet

Next the malware creates a folder named “Yandex\YaAddon” in the “AppData\Local” directory as shown in the figure 16 below. It searches for encoded strings with base64 and the strings represent specific wallets as shown in the figure below.

Fig: Yandex

It gets the total amount of Ram as shown in the figure below.

Fig: Total System RAM

It searches for the following directories as shown in the figure below.

Directories:
1. \\Windows\\. 2. \\ProgramFiles\\. 3. \\ProgramFilesx86\\. 4. \\ProgramData\\.
Fig: File System Directories

It gets logical drives in the machine and can specify additional files/extensions that should be located in the “%DSK_23%” field as shown in the figure below.

Fig: Logical drives

The next obfuscated code decrypts to “walletdat”, it also resolves string wallet using the same previous technique as shown in the figure below.

Fig: Walletdat

It locates the Opera GX browser in the “AppData\Roaming” directory and gets “LocalExtensionSettings” as shown in the figure below.

Fig: AppData Directory

It searches for “Telegram Desktop\\tdata” which contains a telegram application and any stored data on it like images, conversation etcc as shown in the figure below.

Fig: Telegram Data

It extracts the Discord tokens and chat logs from the “.log” and “.ldb” files as shown in the figure below.

Fig: Discord_tokens

It opens the “FileZilla\recentservers.xml” file as shown in the figure below.

Fig: Filezilla

It extracts the following fields from the XML file: Host, User, Pass, and Port as shown in the figure below.

Fig: XML File Data

It extracts the Steam client path from the “SteamPath” registry value as shown in the figure below.

Fig: Steam Path

It searches the filesystem for the “%USERPROFILE%\AppData\Local\NordVPN” directory as shown in the figure below.

Fig: Nord VPN

It searches for “ProtonVPN” as shown in the figure below..

Fig: Proton VPN

It specifies a command that is executed by the CMD.exe process as shown in the figure below.

Fig: Cmd Process

It locates the cookies.sqlite database as shown in the below.

Fig: Sqlite cookies

It gets the culture of the current input language as shown in the figure below.

Fig: Language

It retrieves the vertical height in pixels and the vertical height of the entire desktop in pixels using GetDeviceCaps (10 = VERTRES, 117 = DESKTOPVERTRES) as shown in the figure below.

Fig: GetDeviceCaps

It extracts the processor name and the number of cores as shown in the figure below.

Fig: Processor Name

It gets a Video controller as shown in the figure below.

Fig: Video controller

It opens the registry key path "SOFTWARE\Clients\StartMenuInternet" registry key. The name of a browser is obtained via a function call to GetValue and then the path from the “shell\open\command” registry key as shown in the figure below.

Fig: StartMenuInternet Path

It extracts the serial number of the physical disk drives as shown in the figure below.

Fig: Physical Disk

It creates a list that contains the session ID of the current process, the process ID and the name of a process as shown in the figure below.

Fig: Process name and session ID

The total amount of physical memory available to the OS is retrieved as shown in the figure below.

Fig: Physical Memory Amount

It gets ProductName and CSDVersion as shown in the figure below.

Fig: Product Name

Below are some interesting strings present in the malware memory that can be used to detect the sample.


Diphtheria.exe.
host_key.
encrypted_value
web Data
autofill
Credit_cards
LocalPrefs.json.
Walletdat
\\FileZilla\\recentservers.xml
OpenVPNConnect

Note : Reach out for our malware analysis and Detection service. We are here to help you to hunt down malwares in your network.

Contributers
Mahmoud Morsy / Abhijit Mohanta