Reading Time : 1min

Basic Analysis of Redline Stealer


Warning

This report is for information purpose only. Malware samples used in this report are actual bad pieces of software and should be handled by professionals in a safe environment. Author of this blog post is not responsible for any damage otherwise. Author does not endorse any product or service referenced or used during analysis.


Malware Family: RedLineStealer

Sample file: Link

SHA256: 562b48015b238c92691603ad4f135142e74de037e9da68138d425d0e84d1f579

File Type: PE32

Target OS: Windows

Testing Environment:


Basic Static analysis

Info

this is a 32bit windows executable written in C

files


Packed or not

PEiD show its virtual and real size which are not far apart

files


But DiE shows that its (.text) section is packed shown by its entropy value which is more than 7

files


Suspicious Time Stamp

Compiler : Sun May 23 08:22:29 2021

Debugger : Thu Nov 11 07:21:19 2021

Strings

  • C:\zizalat\xizifuvo51\gosaxoy83\yiyaxam47 s.pdb (debug symbol file location)
  • 13.54.37.25 (IP/URL?)

Some Suspicious Imports

  • CreateFileW : indicate that malware create or check for a file in hard drive
  • VirtualAlloc : indicate that malware might be doing some process injection
  • IsDebuggerPresent: used for anti-debugging
  • CheckRemoteDebuggerPresent: check for remote debugger for anti-debugging

Basic Dynamic Analysis

Procmon

during dynamic analysis procmon shows failed attempts to find files in same location as executable malicious file. (Might be potential companion files.)

files
No network ctivity was captured


Behavioral Analysis

Virustotal

On Virustotal 50 out of 68 Vendors Flag this file as malicious.

Virustotal Link

Sandboxes

Here is list of Online Sandboxes and their Reports

Cuckoo Sandbox (cert.ee)

Hybrid-Analysis

JoeSandbox

Hatching Triage