Tag: MalwareAnalysis

Arechclient2 Malware Analysis (sectopRAT)

Anurag8 Comments

Overview

Arechclient2, also known as sectopRAT, is a Remote Access Trojan (RAT) written in .NET. This malware is highly obfuscated using the calli obfuscator, making its analysis challenging. Despite attempting deobfuscation using calliFixer, the code remained obfuscated but was still somewhat readable using dnSpy.

The sample analyzed has the following characteristics:

File Hash: EED3542190002FFB5AE2764B3BA7393B
File Size: 768KB
Original File Name: Bluefin.exe
File Type: .Net
Obfuscation Technique: calli obfuscator
Mutex Name: 49c5e6d7577e447ba2f4d6747f56c473
VT Detection: 61/72
File Download: any.run

Static Analysis

Obfuscation Technique

The malware is obfuscated using the calli obfuscator, as identified using Detect It Easy (DIE).

Attempts to deobfuscate the code using CalliFixer were unsuccessful, as shown below:

Extracted Strings

Extracting strings from the executable revealed significant indicators of the malware’s capabilities. Some of the key strings found include:

  • Browser Data Extraction: URL, User, Password0, AccountT, BrowserExtension, AutofillT, Logins, Cookies7, os_crypt, LocalState, encrypted_key
  • System and Hardware Information: HardwareType, OSVersion, Machine, ReleaseID, Language, ScreenSize, TimeZone, IPv4, Monitor
  • Installed Software and Processes: AvailableLanguages, Softwares, Processes, SystemHardwares
  • Targeted Applications and Services: Nord, Open, Proton (VPNs), Steam, Discord, Telegram, FTP, ScanBrowsers, ScanFiles, ScanFTP, ScanWallets, ScanScreen
  • Data Exfiltration and Storage: FileLocation, SeenBefore3, FileScannerArgT, OfApplication, Directory, Pattern, Recoursive7

Observed Functionalities

Upon analyzing the decompiled code, several key functionalities were observed:

  • Scanning and gathering information about installed web browsers, including browser extensions and stored credentials.
  • Extracting cookies, usernames, passwords, and autofill data.
  • Scanning the system for installed VPN services such as NordVPN and ProtonVPN.
  • Collecting system information, including hardware details and OS specifications.
  • Looking for installed game launchers, Telegram, and Discord configurations.
  • Scanning for FTP connections and stored credentials.
  • Searching for wallet configurations, indicating potential interest in cryptocurrency theft.

Dynamic Analysis

Upon execution in a controlled environment, the malware exhibited network-based behaviors, connecting to a remote Command and Control (C2) server:

  • C2 Server IP: 91.202.233.18
  • Port: 9000
  • Port:15647

  • Downloaded Files:
    • manifest.json (Defines the extension’s name, permissions, and scripts)
    • content.js (Core malicious script for keylogging and data theft)
    • background.js (Bypasses security restrictions and transmits stolen data)

Malicious Chrome Extension Disguised as “Google Docs”

The downloaded files are part of a Google Chrome extension masquerading as “Google Docs.” This extension is a stealthy data-stealing tool designed to exfiltrate user input across all websites. The files were retrieved from the following URL:

  • Download URL: http://91.202.233[.]18:9000/wbinjget?q=9A7A4DFA51C1DFA51C1DFC689A43860F0BECA70

Its functionality is split across three key files:

  • manifest.json
    • Declares the extension’s name and description (misleading claim of Google Docs offline editing)
    • Grants broad permissions, including , allowing script injection across all web pages
  • content.js
    • Injects event listeners into every webpage
    • Monitors and captures all user input fields (textboxes, checkboxes, dropdowns, buttons, text areas)
    • Sends recorded data, including usernames, passwords, credit card details, and form data, along with the URL to the attacker’s server
  • background.js
    • Acts as a middleman to bypass browser security policies
    • Uses browser permissions to make unauthorized HTTP requests to an external attacker-controlled server
    • Relays stolen data from content.js to the remote server
Installed Google Chrome Extension
Dropped JavaScript code and Json file.

Additionally, during debugging, it was observed that the malware connects to an external URL:

  • URL: https://pastebin.com/raw/wikwTRQc
  • Sandbox Analysis: The webpage at this URL contains the same IP (91.202.233.18)

Further Payload Analysis

During analysis, no additional payloads were observed being dropped or executed. However, given the RAT’s capabilities and network behavior, it is possible that further payloads may be delivered dynamically by the C2 server depending on the victim’s environment.

Indicators of Compromise (IoCs)

File Hashes

  • EED3542190002FFB5AE2764B3BA7393B

C2 Servers

  • 91.202.233.18:9000
  • 91.202.233.18:15647

Malicious URLs

Mutex

  • 49c5e6d7577e447ba2f4d6747f56c473

Security Implications

This malicious extension operates as a coordinated data-harvesting tool, capturing nearly all user input and exfiltrating it to a remote C2 server. The misleading name, broad web access, and ability to evade browser security make it a severe threat.

Recommendations:

  • Block network traffic to 91.202.233.18:9000 and 91.202.233.18:15647.
  • Monitor %AppData%/Local/llg for suspicious file creations.
  • Remove any unknown Chrome extensions, particularly those masquerading as Google Docs.
  • Use behavioral-based threat detection to identify suspicious activities.
  • Restrict execution of untrusted .NET applications.

This analysis highlights the evolving threats posed by obfuscated RATs and malicious browser extensions, emphasizing the need for enhanced security monitoring and strict browser extension controls.

If you found this analysis helpful, consider following my blog for more in-depth malware research and cybersecurity insights!

Fake SBI Reward APK Targets Victims with Trojan via WhatsApp

Anurag5 Comments

Cybercriminals continue to exploit unsuspecting users through cleverly crafted phishing campaigns. Recently, I encountered a forwarded message in a WhatsApp group that immediately raised suspicion. The message read as follows:

Dear Valued Customer,

Your SBI BANK 🏦 Reward Points (Rs 9980.00) will expire today. Now Redeem through SBI BANK🏦 REWARD App install & Claim Your Reward by Cash Deposit Your Account.

Thank-You 👇 team-SBI BANK

Attached to the message was an Android APK file, supposedly the “SBI BANK REWARD App,” which promised users a reward of Rs. 9980. Given the prevalence of similar scams, I decided to investigate the file’s legitimacy through static and dynamic analysis.

Initial Observations

  1. Suspicious Language and Presentation:
    • The message contained grammatical errors, with misspellings like “Value Customer” instead of “Valued Customer.”
    • Overuse of emojis (🏦 and 👇) and inconsistent formatting further indicated it was likely a scam.
  2. Hash Check:
    • I extracted the file hash and searched for it on VirusTotal (VT) and Any.Run. Surprisingly, no results were available for this hash.
    • This indicated that the file was either new or not widely distributed yet.

File Details

File Hash: 7f6e053f3551db9cb209fa5c05952a3e
File Type: Android .apk
File Size: 4.20MB
File Name: SBl REWARDZ POINT 1.apk

Static Analysis

Using JADX tool, I decompiled the APK to analyse its internal structure and code. Below are some findings:

Manifest Analysis

The APK requested excessive permissions, including access to SMS, Contacts, Call Logs, and Storage. These are common indicators of malicious intent.

The AndroidManifest.xml file revealed several critical points:

The manifest file defines activities and services such as BackgroundService, SmsReceiver, and BootBroadcastReceiver, which are typically used in malicious apps to intercept SMS and run processes at system boot.

Publicsuffixes.gz File

During the analysis, I found a file named publicsuffixes.gz. Upon extraction, it contained unrelated Chinese text, which did not directly link to the malicious APK but raised questions about the APK’s origin or development process.

Below is the translation of Chinese text from the publicsuffixes file. 

The 1989 Tiananmen event was held in Beijing, capital of China, on July 28, 2013. The event was held on July 28, 2013. The 1989 event was held on July 28, 2013. The event was held on July 28, 2013. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people in the middle of the Yangtze River, and the rise of middle-aged and young people in the middle of the Yangtze River. The 10,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 4,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 4,000-square-foot (1,000-square-foot) The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people in Hong Kong, and also the rise of middle-aged and young people in Hong Kong. The 20th anniversary celebration of the founding of the Peoples' Republic of China, the 20th anniversary celebration of the founding of the Peoples' Republic of China, and the 20th anniversary celebration of the founding of the Peoples' Republic of China, will be held on the 14th of the 14th anniversary celebration of the founding of the Peoples' Republic of China. The 20th anniversary celebration of the founding of the Peoples' Republic of China, the 20th anniversary celebration of the founding of the Peoples' Republic of China, and the 20th anniversary celebration of the founding of the Peoples' Republic of China, will be held on the 21st anniversary of the founding of the Peoples' Republic of China. I sincerely hope that you will not be disappointed with the results of this project. I hope you will be happy with the results of this project. In this regard, the development of the industry has entered a new stage, and the development of the industry has entered a stage of rapid development. The 1984 World Cup has been held in Hong Kong since 1989. The 1984 World Cup has been held in Hong Kong since 1989. The 1984 World Cup has been held in Hong Kong since 1989. The 1984 World Cup has been held in Hong Kong since 1989. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people, and the rise of the middle-aged and young people. The wisdom of the people is the same as the practice of the traditional Chinese medicine. Customs of the West⹭Customs of the West⹭Customs of the West⹭Customs of the West⹭Customs of the West⹮Customs of the West⹮Customs of the West⹰Customs of the West⹲Customs of the West⹲Customs of the West⹳Customs of the West⹴Customs of the West⹴Customs of the West⹵Customs of the West⹵Customs of the West⹶Customs of the West⹺Customs of the West⹺Customs of the West⹺Customs of the West⹺Customs of the West⹮Customs of the West⹲Customs of the West⹤Customs of the West ⹢The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young, and the rise of middle-aged and young people. It was a period of rapid development, and it was a period of rapid development. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people in Hong Kong, and also the rise of middle-aged and young people in Hong Kong. ⹯ The animal husbandry system is a system that allows animals to be picked up and eaten by locals. ⹯ The animal husbandry system is a system that allows animals to be picked up and eaten by locals. ⹯ The animal husbandry system is a system that allows animals to be picked up and eaten by locals. ⹯ In this regard, the development of the Internet has become a new trend, and the development of the Internet has become a new trend. In the future, the development of the Internet will continue to accelerate. The development of the Internet will continue to accelerate. ⹴The wisdom of the people is the wisdom of the people. The wisdom of the people is the wisdom of the people. The wisdom of the people is the wisdom of the people. The wisdom of the people is the wisdom of the people. Hunting 牶敩汬 considered捥⹡knock溇橩 contention玱慦晩挭捯湴牯 nitrogen 慥牯੡楲⹭畳 enemy洊慩狠敳੡楲 volume慦琮慥牯੡楲The scenery is the best. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. I am alone, I am worried about my career, I am happy to be alone, I am alone.瀊怂楳 Zhuang浡⹴潫祯⹪怊怂楴愮怂楴愮橰੡歩瑡⹪瀊怂Step alone椤桯歫慩真⹪怊怂浵潫瑡⹮溇The 2014 World Economic Forum has selected 100 million nitrogen-containing foods and 10 million nitrogen-containing foods for sale in Hong Kong, the 2014 World Economic Forum, and the 2014 World Economic Forum. The enemy has a very strong sense of responsibility, and it is not easy to be irritated by the enemy. It is not easy to be irritated by the enemy. The 1988 Beijing International Expo was held in Beijing, and the 1988 Beijing International Expo was held in Beijing. The 1988 Beijing International Expo was held in Beijing, and the 1988 Beijing International Expo was held in Beijing. The 1988 Beijing International Expo was held in Beijing, and the 1988 Beijing International Expo was held in Beijing. The cup is the only cup that can be picked up by the owner. The cup is the only cup that can be picked up by the owner. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in Hong Kong, and also the rise of middle class values, including the middle class values ​​of Hong Kong and Macau. The 1980s and 1990s, which was a very important era for the American people, saw the rise of the middle-aged man who was about to enter the country and become a model for the American people. The 1980s and 1990s, which was a very important era for the American people, saw the rise of the American people, and also saw the rise of the American people. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in the 1980s and 1990s, and also the rise of middle class values ​​in the 1990s and 1990s. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged man, who was about to enter the city of Beijing and was known as the "Eighteenth Century". This was the first time the 1980s and 1990s had reached a peak of 1980s and 1990s. The material is made of natural materials, and the material is made of natural materials. The material is made of natural materials, and the material is made of natural materials. The bridge is the bridge between the two cities, and the bridge between the two cities is the bridge between the two cities. The 2020 Beijing International Airport has been a major port for the Chinese government to provide a variety of transportation services to the public, and the ... The gray house is the only one that can be restored ੡ash狞洴⹣tan੡灲敮浡present捬੡welding⹩把慱牥汬抔敡物畭⹭畳enemy把慱畩contamination⹩琊慲੡爮捯The 1980s and 1990s, which was a very important time for the American people, was a very important time for the American people. The 1980s and 1990s, which was a very important time for the American people, was a very important time for the American people. The 10,000 most common nitrogen-containing foods are found in the lungs, lungs, and lungs of animals. The 20th anniversary celebration of the founding of the Peoples' Republic of China, the 20th anniversary celebration of the founding of the Peoples' Republic of China, and the 20th anniversary celebration of the founding of the Peoples' Republic of China, have been held in the capital. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and elderly people, and also the rise of middle-aged and elderly people. The 100 most common words in English are used to describe the meaning of the word " ' ... The company has a unique business model, a unique business model, a unique business model, and a unique business model. The only thing you can do is to take a walk through the garden and learn about the garden.獡獳楮楯渮浵獥畭੡獳楳椮浵獥畭੡獳渮汫੡獳漮扪੡獳殍੡獳漮fold੡獳殮enemy⹯木੡獳殙੡獳漮杰੡獳漡੡獳殭੡獳殮੡獳漮湣੡獳漮੡獳棣楡瑥猊歭獯捩楯渮慥The tidal flat is the tidal flat of the gorge. The tidal flat is the tidal flat of the gorge. The tidal flat is the tidal flat of the gorge. The tidal flat is the tidal flat of the gorge. ⹢爊牮hunt杩⹫氪氪扮敹੡甊浵⹥甮潲朊恵洴楯元慵浵੡畤楢汥੡畤楯੡畤湥桡汮⹮溇慵杵獴潷⹰氊浵捴潷⹰氊浵据堂੡畲殮堂੡畲繤⹮溇慵牳歯札桯 dirt The 100 most common types of AIDS are found in the healthcare industry, and the 100 most common types of AIDS are found in the healthcare industry. I have been waiting for an hour for a while, and I have been waiting for an hour for a while. I have been waiting for an hour for a while, and I have been waiting for an hour for a while. We must ensure that every effort is made to ensure that the environment is healthy and that the people are happy. We must ensure that every effort is made to ensure that the environment is healthy and that the people are happy. The 1989 Tiananmen event was held at the 41st Beijing International Airport in Beijing, China, and it was held on the 4th Beijing International Airport in Beijing. The 1989 Tiananmen event was held at the 4th Beijing International Airport in Beijing, China, and it was held on the 4th Beijing International Airport in Beijing. The urn was full of ashes, and the urn was full of ashes. It was a very beautiful place, full of ashes, and it was very beautiful. It was a very beautiful place, full of ashes, and it was very beautiful. The 2014 National Development and Reform Commission has launched a series of targeted measures to improve the quality of life of enterprises and enterprises, and has also launched a series of targeted measures to improve the quality of life of enterprises. Independent business people should pay attention to the following aspects: The 1989 Tiananmen event was held in Beijing, capital of China, on July 28, 2012. The 1989 Tiananmen event was held in Beijing, capital of China, on July 28, 2012. The 1989 event was held in Beijing, capital of China, on July 28, 2012. The scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that The 20th anniversary celebration of the founding of the Peoples' Republic of China, was held on the 21st anniversary of the founding of the Peoples' Republic of China. It was held on the 21st anniversary of the founding of the Peoples' Republic of China, and it was held on the 21st anniversary of the founding of the Peoples' Republic of China. In this regard, the author has selected the following suggestions: In the future, the development of the industry will continue to accelerate, and the development of the industry will continue to accelerate. In the future, the development of the industry will continue to accelerate, and the development of the industry will continue to accelerate. ⹭畳敳扥敮楴� ... The 1984 World Cup has been held in Beijing for 10 years, and the 1984 World Cup has been held in Beijing for 10 years. The 20th anniversary celebration of the founding of the Peoples' Republic of China was held on the 21st of July in Beijing. The 20th anniversary celebration of the founding of the Peoples' Republic of China was held on the 21st of July in Beijing. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in the 1980s and 1990s, and also the rise of middle class values ​​in the 1990s and 1990s. Tan ੢楺੢楺⹡琊Expansion of species慺੢楺⹢Wu Expansion of species捹੢楺⹤Quan of expansion of species ੢楺⹦樊Expansion of species杬੢楺⹩搊Expansion of species歩੢楺⹬猊 expand kind 浶੢楺⹭眊 expand kind 湩੢楺⹮爊expand fire ੢楺⹰氊expand kind 灲੢楺⹳猊expand Ma੢楺⹴爊The development of the industry has been continuously improved, and the development of the industry has been continuously improved. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in Hong Kong, and also the rise of middle class values, and also the rise of middle class values ​​in the 1990s and 1990s. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and middle-aged man, and the rise of middle-aged and middle-aged women. It was a period of rapid development, and the rise of middle-aged and middle-aged women was a period of rapid development. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in Hong Kong, and also the rise of middle class values, such as the middle class values ​​of Hong Kong and Macau. The bathtub is bathed in the hot spring water, and the hot spring water is bathed in the hot spring water. The hot spring water is bathed in the hot spring water, and the hot spring water is bathed in the hot spring water.

Strings Analysis

Hardcoded URLs were found pointing to command-and-control (C2) servers.
References to financial APIs and terms like “OTP” and “Banking” suggested a focus on stealing sensitive data.

libiotusintouch.cpp.so File

The file was decompiled using GHIDRA, revealing the following Remote URLs:

The app sends detailed device information, including:

  • Device manufacturer and model
  • Android version
  • Mobile ID
  • SIM details
  • Mobile number

Additionally, I observed the name “Kritika” hardcoded in the log statements, potentially indicating the developer or a test/debugging artifact.

The following code snippet exemplifies the exfiltration of this data:

Dynamic Analysis

I executed the APK in a controlled environment using an Android emulator and monitored its behavior with HTTP Toolkit and Wireshark. Here’s what I uncovered:

Network Traffic

Analyzing network traffic with Wireshark revealed that, upon installation, the APK immediately established connections to previously identified URLs.

Communication via wss://socket.missyou9.in included the following parameters:

The persistent communication over WebSocket (wss://socket.missyou9.in) could be classified as beaconing behavior, as it periodically updates the server with device status and other details.

Keylogging Behavior

The application displayed phishing screens mimicking legitimate SBI login pages to harvest user credentials.

Upon providing information, it connects to superherocloud.com and upload the data.

  • Username, password and mobile number.
  • Profile password and DOB.
  • Full name, Account number and CIF.
  • Debit/Credit card number, Expiry date, CVV number and ATM pin.
  • OTP

Below screenshot refers to API calls captured during analyzing app.

The following code snippet submits device information to the endpoint: https://superherocloud.com/api/mobile/add.

After submitting the file to VirusTotal, it was flagged by 25 out of 67 antivirus engines as malicious. The detection names varied, but many indicated trojan-like behavior. The file’s VT analysis can be accessed here

Domains

The domain https://socket.missyou9.in was flagged by 2/94 vendors on VirusTotal, indicating potential malicious activity. Moreover, this domain is reportedly associated with other APKs impersonating different banking apps to conduct similar malicious campaigns. Also this domain is registered 5 month ago.

The domain https://superherocloud.com, used as the endpoint for exfiltrating device information, was registered only two months ago.
Despite its short lifespan, the domain has not yet been flagged as malicious on public threat intelligence platforms.

Implications of the Attack

This campaign is a clear attempt to steal sensitive user data, including banking credentials, debit/credit card information and OTPs, to perform fraudulent financial transactions. What makes it particularly dangerous is the exploitation of trust through the SBI branding and the urgency implied in the message.

Conclusion

This incident underscores the importance of vigilance in the face of cyber threats. While this particular APK was quickly identified as malicious, many others might slip through the cracks, targeting unsuspecting users. By raising awareness and adopting basic cybersecurity hygiene, we can mitigate the risks posed by such scams.

Stay safe and always think before you click!

[UPDATE]

I have uploaded the APK file to Malshare. You can download it using the link below.

SBl REWARDZ POINT 1.apk

Understanding RedLine Stealer: The Trojan Targeting Your Data

Anurag2 Comments

In the ever-evolving landscape of cybersecurity threats, one name has increasingly become synonymous with stealth and precision: RedLine Stealer. This malicious software, often referred to as a Trojan, is designed to infiltrate systems, silently siphoning off valuable data while remaining largely undetected by its victims. In this blog, we’ll delve into what RedLine Stealer is, how it operates, and what you can do to protect yourself from this insidious threat.

How Does RedLine Stealer Work?

RedLine Stealer typically enters a system through phishing emails, malicious websites, or bundled software downloads. Once installed, it quickly gets to work, scouring the system for valuable information. Here’s a closer look at what it targets:

  • Login Credentials: RedLine can harvest usernames and passwords stored in web browsers, FTP clients, and other software.
  • Autofill Data: Information like addresses, phone numbers, and credit card details saved in browser autofill forms are also at risk.
  • Cryptocurrency Wallets: The Stealer targets cryptocurrency wallets, potentially stealing private keys or wallet credentials.
  • System Information: It gathers detailed information about the infected system, including the operating system, hardware specifications, installed software, and even security measures.
  • Files and Documents: RedLine can search for specific file types, such as documents or spreadsheets, and exfiltrate them to the attacker.

Static And Dynamics Analysis

File Properties:

Hash:
MD5 12d8e993204cd8a39b7b5938ea6369eb
SHA256: 11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab03

File Type: Win32 exe
PEiD packer: .NET executable
File size: 2.75 MB

I have downloaded this sample from Any.run. The link is given to download the sample at the end of article.

Get the hash of the file using PowerShell command to confirm its same sample.

Infection Process

The downloaded executable once executed, it will exit immediately and the new process starts as MSBuild.exe’. Malicious code is injected into it.

MSBuild.exe PID is 8160

The sample I have downloaded is obfuscated using Intellilock software.

To deobfuscate the code I have used pe-sieve tool. Its really easy and helpful. To perform this, we need to run executable file and run >pe-sieve /pid <pid> command like below.

deobfuscate file using pe-sieve command.

This will create the folder name PID and will copy the exe file.

400000.MSBuild.exe is deobfuscated file.

I am using dnSpyEx for debugging the executable file 400000.MSBuild.exe. The assembly name of this file is “Forgiving.exe”

Built in configuration

After deobfuscation of code, below are all the modules used in code.

IP address in config file is C2 server IP. Key is used for decoding the data. This is has been initialised in class Arguments. Its in Base64 format.

Built in configuration

While debugging executable, can see the IP address of C2 server is 185.215.113.25 and port 13686

The IP address lookup shows it is from Baie Lazare, Seychelles.

RedLine stealer check regions it is executing in, if the victim is located in one of Commonwealth of Independent States, it exits execution.

Once confirmed the victim is located our of CIS country, its starts collecting all different kind data from victims machine and send to C2 server.

Browser data

It looks for different browsers whether installed on machine and starts collecting browser login data, cookies and browser history.

Browser List:

  • Google Chrome
  • Microsoft Edge
  • Opera
  • Maple Studio, Chrome Plus
  • Iridium
  • 7Star
  • CentBrowser
  • Chedot
  • Vivaldi
  • Kometa
  • Elements Browser
  • Epic Privacy Browser
  • Uran
  • Sleipnir
  • Citrio
  • Coowon
  • liebao
  • QIP Surf
  • Orbitum
  • Comodo
  • Amigo
  • Torch
  • Yandex
  • 360 Browser
  • Maxthon
  • k-melon
  • Sputnik
  • Nichrome
  • CocCoc
  • Chromodo
  • Atom
  • Brave browser
  • Ghost Browser
  • Baidu Browser
  • CryptoTab Browser
  • Lulumi Browser
  • Mozilla
  • QQBrowser
  • WaterFox
  • Ghostery Browser
  • Netscape
  • Flashpeak

Crypto Wallets

Stealer looks for different wallets installed on victims machine.

  • Armory
  • Atomic
  • Binance
  • Coinomi
  • Electrum
  • Etherium
  • Exodus
  • Garuda
  • com.liberty.jaxx
  • Monero

File Collector

It search for different files with extensions on Desktop, Documents folders and upload to C2.

File Types:

  • .txt
  • .doc
  • .key
  • seed
  • wallet

Screen Capture

RedLine stealer captures user screen resolution and takes screenshots and send to C2 server.

System Information

It also collects information from the compromised system.

  • Username
  • hostname
  • Input language and date time
  • Installed antivirus program
  • Running process
  • OS version
  • Monitor size

Download and Execute payload

Redline stealer has classes DownloadUpdate and DownloadAndExecuteUpdate. DownloadUpdate download data using webclient and DownloadAndExecuteUpdate download data using webclient and execute it.

Discord & Telegram

It looks for Discord data and telegram data on victims machine.

NordVPN OpenVPN and ProtonVPN

It looks for configuration files of all three VPN applications.

Filezilla FTP Application

Stealer look for sitemanager.xml file which stores username and password and recentservers.xml which stores information about which FTM servers you have connected to. If its available on victims machines, it will extract and send to C2.

Antivirus

Stealer collect the information about installed anti malware program installed on machine and send it to C2.

Redline stealer use http[:]//tempuri[.]org/Entity/Id[1-24] to communicate to C2 server. When access this URL in browser it redirects to bing.com

VirusTotal score for this RedLine stealer is 60/75

Indicators of Compromise

Hashes:

  • 12d8e993204cd8a39b7b5938ea6369eb
  • 11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab03

IP Address:

  • 185.215.113.25
  • 23.45.12.19
  • 217.65.2.14

Protecting Against RedLine Stealer

Given the sophisticated nature of the RedLine Stealer, it’s essential to adopt robust security measures to protect yourself and your organization. Here are some key steps to consider:

Use Up-to-Date Security Software: Ensure that your antivirus and anti-malware software are regularly updated to detect and block the latest threats.

Be Cautious with Emails: Avoid opening attachments or clicking on links in emails from unknown or suspicious sources. Always verify the sender’s identity before taking any action.

Avoid Downloading Software from Untrusted Sources: Only download software from reputable websites or official app stores. Be cautious of freeware or shareware sites, which may bundle malicious software with legitimate applications.

Regularly Update Your Systems: Keep your operating system, software, and applications up to date with the latest security patches to close vulnerabilities that could be exploited by Trojans like RedLine.

Use Strong, Unique Passwords: Utilize strong, unique passwords for different accounts, and consider using a password manager to store them securely.

Enable Two-Factor Authentication (2FA): Wherever possible, enable 2FA for your online accounts to add an extra layer of security, even if your credentials are compromised.

References:

Malicious email .ics attachments

Anurag2 Comments

Recently I have received few random emails attached with calendar invites from random email and unknow email ids in CC. These arrived in my inbox insteas of spam. Though, later I moved them to spam box.

Email Attachment:

File type: Calendar invite

File Extesion: .ICS

I have uploaded the ics attachment to Virus Total but no AV vedor detected it as malicious yet.

I have opened ics file in notepad and can see clearly there is URL direction to domain http: // ngsl7. bemobtrcks. com

When I opened the URL “http: // ngsl7. bemobtrcks. com” in browser, it redirects to “http :// receivepayment[.]fun” website and again redirect to “https: // bitcoinwallet. xyz” to “https: // paysitecash. paywest . net” website. Redirection of websites always changed and may land on different website each time I accessed the main URL.

Below screenshot one of the website it redirects.

When it opens up bitcoinwallet [.] receivepayment [.] xyz. It shows bad potential traffic.

There is bad malicious traffic mentioned by any.run because its using Lets encrypt encryption for for suspicious domain.

These are confirmed phishing emails. Calendar invites may bypass traditional email filters, making it easier for phishing emails using this method to reach users’ inboxes and this is what happening.

Below are the network connections getting established opening .ics file to domains.

  • ngsl7[.]bemobtrcks [.]com
  • receivepayment [.] fun
  • ctldl [.] windowsupdate [.] com
  • bitcoinwallet [.] receivepayment [.] xyz

IOC:

MD5: 264D98086A88D5A57E917EFBCFC36F87

MD5: 4187D230F6D850024E8B678B783F4464

MD5: F1C401645FAD5274AB7B86857E4CAF84

Summary:

  • These are cyrpto related phishing emails.
  • If such emails (.ics attached) from unknow sender, better to ignore.

Reference:

MS Excel Malware Analysis

AnuragLeave a comment

MD5: bcdadfdc16bcf022384c4631849e1396

File Type: Microsoft Excel

File Extension: .xlsm

File Name: BillINV-01364_CLIENT_Schedule.xlsm

File Preview:

Excel File Preview

I am analyzing excel file using OleTools to detect suspicious code and IOCs.

> oleid <FileName>

Oleid will help to know whether file has any embedded OLE/Flash objects,VBA macros

Its clear from the above output of oelid, it has suspicious VBA macro. Now, I am going to get the suspecious keywords using MacroRaptor.

> mraptor <FileName>

MacroRaptor gives information based on keywords, such as read, write, execute.

Command flagged the keywords used in file are AutoExec, Write and Execute which could be, on opening document, it will write files to the system and execute them.

Next, OleVBA which will detects obfuscated strings used, extract IP address, executable file name,

> OleVBA -a <FileName>

OleVBA file output

I was trying to open the excel file to check the VBA code execution in VBA developer tool by dubugging the code, but opening the excel file, it was getting closed immediately due the Application.Quite call. So, first I have disabled the macro and opened Developer tools and commented out the code and save the file and again enabled macro back. This way opening excel file, it wasn’t closing immediately.

During debugging of macro, I found that it loads the VBscript GetObject to download the exe from the remote server (https:// ntro[.] fr /officeclick.png).

procmon captured the mSHta.exe Process starts via shell which executes the command shown in below image.

The URL which is getting accessed, no more responding. To dig in more, I extracted the excel file and look for the text file which reference I got from OLEVBA

The text file dvdsvhufhuierhiu.txt I looked for .exe refence and I found it too. This file has base64 string which is PowerShell script and downloads executable jieifhzo11.exe file and copy it to location

C:\Users\<profile>\AppData\Local\

Base64 string from dvdsvhufhuierhiu.txt file

After deobfuscation of above string, I can see the below PowerShell command.

Obfuscated PowerShell script of above base64 string

Summery:

  • Macro execute on document open
  • mSHta.exe executes command via shell.
  • It reads obfuscated string from dvdsvhufhuierhiu.txt which is PowerShell script which downloads jieifhzo11.exe
  • It downloads it from URL https:// ntro[.] fr /officeclick.png.
  • The URL is no more accessible so unable to download the malicious executable file.

Sample Download: