# Fake Cracked Software Caught Peddling
 Redline Stealers

### By Akshat Pradhan


-----

## Table of Contents

###### 3 Executive Summary

 3 Key Research Findings

 4 Inside the Malware-as-a-Service
 Industry

 7 Technical Analysis of Redline
 InfoStealer Campaign

 7 Archive Analysis

 10 Simple Loader Analysis

 14 PureCrypter Analysis

16 Delay Module

16 Exclusion Module

19 Fake Message Module

19 Debugger/Sandbox Check Module

22 Discord Module

23 Binder Module


###### 29 Conclusion

 30 ATT&CK Mapping

 31 Appendix

 33 IOCs

 33 Discord Attachment URLs

 33 Dropper URLs

 34 Dropper Samples

 34 Redline CnC IP

 34 Redline InfoStealer

 34 About Qualys


23 StartUp Module

24 Injection Module

###### 26 Redline Stealer Analysis


-----

## Executive Summary

##### Qualys Threat Research continues our efforts to identify and document

 previously unseen adversary activity to better understand their tactics,

 techniques, and procedures (TTPs) and defend against them. As a result

 of this endeavour, we identified a new Redline InfoStealer campaign that

 spreads via fake cracked software hosted on Discord’s content delivery

 network (CDN). The campaign was actively observed from the end of

 January to March 2022 and utilized commercial malware families. This

 makes attribution particularly difficult due to overlap in IOCs and TTPs.

 The main objective of this campaign was to acquire Redline logs for

 monetary gain. In this whitepaper, we dissect the entire campaign in-depth

 and delve into underground markets to examine the complexity and

 replicability of the overall flow.

## Key Research Findings

9 Zip archives with fake cracked software that ultimately deployed Redline

9 URL shorteners and fake sites that redirected victims to zip archives hosted on Discord’s CDN

9 Archive contained simple loaders for PureCrypter with a hijacked certificate from Exodus Movement Inc

9 PureCrypter injection module was used to deploy Redline InfoStealer


-----

## Inside the Malware-as-a-Service Industry

We will describe the various commercial malware that were part of the campaign in this section.

At Qualys, we use the term “Simple Loader” to refer to a large group of samples that use MSIL stub codes to
perform download and execution of second stage payloads (Fig.10). They also contain multiple junk functions
from legitimate applications. Due to the large number of samples that have been observed using this
technique, it is highly likely that multiple tools have emerged that build these stubs. These stub loaders are
[often observed in commercial malware campaigns.](https://twitter.com/ESETresearch/status/1483161464106098689)

PureCrypter is a commercial tool for obfuscation, evasion, and injection that is often sold on hacking forums
(Fig.0). PureCrypter claims that it is ‘fully undetected’ (FUD) and offers a variety of features from evasion checks,
exclusion additions, multiple injection techniques, multiple persistence methods, etc. PureCrypter has multiple
pricing packages and costs $59 for 30 days (Fig.1). The team also has other projects for sale such as miners,
RATs, worms, and more.

_Fig.0 PureCrypter advertisement_

_Fig.1 PureCrypter pricing packages_


-----

Redline Stealer is a commercially available infostealer that is sold on underground markets (Fig.2).

_Fig.2 Advertisement for Redline on underground markets, with translations_

Translating these advertisements on its official market and support channels revealed an impressive list of features:

9 Grab logins and passwords

9 Grab cookies

9 Grab autofill data

9 Grab credit cards

9 Files from file grabbers

9 Grab FTP/IM client data

9 Create/edit tasks

9 Download a file via direct links

9 Inject a 32-bit PE file

9 Download and execute PE

9 Open link in default browser

9 Grab system information

9 Grab data from browsers

9 Various log sorters to sift through acquired data and grab interesting data.

9 Cloning certificates

9 Built in builder with parameters

9 Blacklist countries where the stealer won’t work

9 Crypto scanner

9 Creating a loader with embedded links

9 Check AV detections using Dyncheck


-----

The prices for Redline’s subscription at the time of publication was about $150 per month. The standalone
pro version costs about $800 and includes free lifetime updates and support. We even observed a user asking
for help in building a Redline panel who was then directed to customer support. The market also has various
sellers advertising:

9 Manuals on various topics such as hosting your own stealer, SEO for fake sites with cracked software,

carding, etc.

9 Redline logs

9 Credentials for popular sites such as AOL, Yahoo, Amazon, etc.

9 RDP access

9 Offers to buy web shells

9 Escrow services

9 Banking details such as card details, ATM pins, credentials etc.

9 SMS and mail senders

Members also posted specific requests such as country-specific site access, Coinbase accounts, gift cards,
and other inquiries. This highlights how organized the Redline market is. It was surprising to observe the
commercialization and mature organizational structure of the malware-as-a-service industry.

In the next section, we will review the entire campaign flow in depth.


-----

## Technical Analysis of Redline InfoStealer Campaign

#### Archive Analysis

We identified several zip files that contained droppers for Redline InfoStealers. The zips were named after
popular software that were thematically spread across NFTs, games, editing, and installers (Fig.3).

_Fig.3 Zips with popular software names_

There were several indicators that pointed to these zip files being authored by the same tool or adversary.
The folder structures, obfuscation used, contacted IPs, dropping methodology, and other indicators were all
identical (Fig.4).

_Fig.4 Folder structure_


-----

The hackers tried to lend an air of legitimacy to the setup binary (simple loader) by bundling decoy files, icons,
and resources from legitimate applications. They also used a hijacked certificate from Exodus Movement Inc., a
crypto wallet application (Fig.5).

_Fig.5 Hijacked certificate detail_

However, the sample 06f65e5d32f58944fe0a50f12d8eb5c4 did not have this certificate and was unsigned. We
are unclear on whether this was a mistake on the attacker’s part or not.

An interesting example of the customization per sample was observed by dumping the manifest of the binary,
whereby the theme of the sample was maintained.

_Fig.6 Customized manifests_

Here, Gigaland is an NFT marketplace and Dinox is an NFT-themed collectible game (Fig.6).


-----

The dropper binaries also had large sections of padding to avoid automated analysis with size limits (Fig.7).

_Fig.7 Padding_

The zip files were hosted via Discord attachments. At times, the attackers used a URL shortening service that
ultimately resolved to the Discord attachment. Discord URLs are public by default without any access control
and have the format:

###### https://cdn[.]discordapp[.]com/attachments/[ChannelID]/[AttachmentID]/[filename]

The ChannelID here is the unique id of the text channel where this message was initially published. Multiple
channels like this make up a server. This information is not sufficient to identify the message author and the
server on which it was initially sent.

[There has been a steady increase in Discord CDN abuses and other vendors have also documented such attacks.](https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/)
The full list of identified URLs and their redirects are listed under the IOC section at the end of this paper.


-----

#### Simple Loader Analysis

**Sample MD5: a90d58052bcacd0194d1dfc0dd9d7929**

Interestingly, all the droppers identified were functionally the same yet have varying degrees of obfuscation
and complexity. Some notable obfuscation techniques are listed in the table below. It is unclear exactly which
obfuscator was used on these simple loaders.

**OBFUSCATION** **DESCRIPTION** **OBSERVED SAMPLES**

Reflective method calls Sample uses static method, reflection, 7f6de92ece5a366cc15af5574701fe98,
and byte arrays to dynamically map 1c8112b8e1f13ca4129cae22f3387d47,
methods. (Fig. 6). 06f65e5d32f58944fe0a50f12d8eb5c4,

771a4fea6f33eac0771b108e8933703a

Embedded command Sample uses hex encoded string bytes 06f65e5d32f58944fe0a50f12d8eb5c4,
that are xored and/or text replaced. 154bda18ddf65e3d79caa9abeb7c4468

Overloaded methods Overloading methods and using an a90d58052bcacd0194d1dfc0dd9d7929
array with a variable to define which
method is called.

Hashed method names Sample uses the embedded command 154bda18ddf65e3d79caa9abeb7c4468
obfuscation technique with hashed
method names to obfuscate flow.

The dropper first created a new PowerShell process to pause the program (Fig.8):

###### Powershell.exe -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAxAA==

The encoded command decoded to cmd /c timeout 21. Another variant used the command (Fig.9):

###### powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==

Which decodes to Start-Sleep -s 20.

|OBFUSCATION|DESCRIPTION|OBSERVED SAMPLES|
|---|---|---|
|Refel ctive method calls|Sample uses static method, refel ction, and byte arrays to dynamically map methods. (Fig. 6).|7f6de92ece5a366cc15af5574701fe98, 1c8112b8e1f13ca4129cae22f3387d47, 06f65e5d32f58944fe0a50f12d8eb5c4, 771a4fea6f33eac0771b108e8933703a|
|Embedded command|Sample uses hex encoded string bytes that are xored and/or text replaced.|06f65e5d32f58944fe0a50f12d8eb5c4, 154bda18ddf65e3d79caa9abeb7c4468|
|Overloaded methods|Overloading methods and using an array with a variable to defni e which method is called.|a90d58052bcacd0194d1dfc0dd9d7929|
|Hashed method names|Sample uses the embedded command obfuscation technique with hashed method names to obfuscate fol w.|154bda18ddf65e3d79caa9abeb7c4468|


-----

_Fig.8 Process creation in sample 7f6de92ece5a366cc15af5574701fe98_

_Fig.9 Process creation in sample a90d58052bcacd0194d1dfc0dd9d7929_

The next step was to connect to the IP 81[.]4[.]105[.]174 to download the PureCrypter injector which had
Redline Stealer embedded as a resource. The URL typically followed the format of:

###### Protocol:ip/.Net AssemblyName.extension


-----

The file extension used here was typically .jpg, .png or .log to make the URL seem innocuous (Fig.10). The full
[list of URLs can be found in the IOC section. We have also created a VT graph to highlight similar URLs and the](https://www.virustotal.com/graph/embed/g6ec980f3eff04923944fd33f42ecf83e4b9efe22a19744f4b3cc50dfaaabd543)
communicating samples.

_Fig.10 Download in sample a90d58052bcacd0194d1dfc0dd9d7929_


-----

The downloaded content was in reverse order and thus, the bytes were reversed before execution (Fig.11).

_Fig.11 Bytes reversed in a90d58052bcacd0194d1dfc0dd9d7929_

The full list of dropper URLs and the hashes of the reversed downloaded samples are listed in the IOC section.
Execution of the next stage payload was achieved by loading the dropped dll and calling its method to pass
execution (Fig.12). This was functionally similar in all observed samples.

_Fig.12 Execution of payload in a90d58052bcacd0194d1dfc0dd9d7929_


-----

#### PureCrypter Analysis

**Sample MD5: 57bf626239b8db6e1434dbc8ee7cef86**

We are certain that the second stage payload was obfuscated PureCrypter instances. We were able to identify
two samples that were packed with SmartAssembly and were able to unpack them (Fig.13).

_Fig.13 de4dot obfuscator detection output_

SmartAssembly encrypts strings that the sample used and thus we needed to decrypt them. The way SmartAssembly
does this is by replacing the string with a call to a getString(int) function call that is delegated at runtime. This
function xors the integer value with a key and subtracts the offset to retrieve the encoded string stored in a
resource file. The strings are stored in the format LengthBase64EncodedString. The decoded strings for this sample can
be found in the Appendix. The decoding routine is heavily used at the start of the sample to import functions.

Other variants have resource files with a {z} header followed by a switch that determines the kind of decryption or
decompression to be done. This ultimately results in strings stored in the same LengthBase64EncodedString format.

The sample started by extracting its settings from a hardcoded byte array that was reversed, decompressed,
unserialized, and casted to a protobuf structure (Fig.14).

_Fig.14 Settings extraction and mapping it to protobuf_


-----

The settings schema is shown below. This sample is primarily used for injecting Redline. However, we redirected
execution to different Modules to fully explore PureCrypter’s capabilities by modifying these settings (Fig.15).

_Fig. 15 Settings Proto Schema._


-----

###### Delay Module

The Delay module checked whether the setting IsDelay is enabled and goes into an infinite loop with periodic
sleeps of 1000 milliseconds until the Delay variable is set to 0 (Fig.16). This module is probably used as a means
of evading automated analysis by timing them out.

_Fig. 16 Delay module_

###### Exclusion Module

The Exclusion module is used to add an exclusion to defender for the root drive from which the process
is executed.

The module initially checked whether StartupSettings is enabled. If it is, it verified that the current executing
process’s ImagePath matches the file path as defined in its settings. The module exits if this check fails (Fig.17).
The Module skips this check if StartupSettings is disabled.


-----

_Fig.17 File full path check_

The module then performed a check for whether the current process has admin privileges and restarted itself if
it didn’t:

###### Cmd /k START “””” “”<FilePath>“” & EXIT

This command included the verb runas to execute with admin privileges (Fig.18). The user thinks he is installing
a cracked application and so the UAC prompt does not raise any suspicion.

_Fig.18 Process restarted via cmd_


-----

The sample then closed the Mutex (Hejrqayc) if it is created to avoid interference with the elevated process
before killing itself (Fig.19).

_Fig.19 Non elevated process exits_

The module then retrieved the drive name from the file path. It prepended the string Set-MpPreference
_-ExclusionPath and Base64 encoded it. The module then started a new PowerShell process with the Base64_
encoded command line and waited for it to exit (Fig.20).

###### Powershell “-enc

 AHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvA

 G4AUABhAHQAaAAgACcAQwA6AFwAJwA=” UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAG

 MAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwA=”

_Fig.20 Powershell adding defender exclusion_


-----

###### Fake Message Module

The Fake Message module displayed a message box, possibly to dissuade user suspicions.

This module started by performing the same StatupSettings check as the Exclusion module. The module also
performed an additional check to verify whether the sample started from one of the special folders. If any
check failed, the module exits. The module then displayed a message box with the description and message
box type retrieved from its settings and, the title retrieved from the embedded resource (NULL, therefore the
title is Error) (Fig.21).

_Fig.21 Fake Message Module_

###### Debugger/Sandbox Check Module

The Debugger/Sandbox module performed multiple checks to identify an analysis environment.

The first check is for the presence of a debugger by using CheckRemoteDebuggerPresent and by enumerating
loaded modules to identify SbieDll.dll (Fig.22).

_Fig.22 Debugger Check_


-----

The module checked the output of WMI queries to identify a virtual or sandbox environment (Fig.23).

###### Select * From Win32_BIOS; retrieve the version and SerialNumber. Concatenate and checked

 against VMWare|Virtual|A M I|Xen

 Select * from Win32_ComputerSystem; retrieve the manufacturer and model. Concatenate

 and checked against Microsoft|VMWare|Virtual

_Fig.23 WQL check_


-----

The module also checked monitor dimensions to identify a sandbox environment. Finally, it performed another
check to see if the username of the current logged in user is not anna, john or xxxxxxxx. This is possibly to
identify some sandbox environments where they are the default users (Fig.24).

_Fig.24 Sandbox checks_

If any of these failed, the sample started a clean-up operation by using PowerShell to delete itself from disk,
closing its mutex, and exiting (Fig.25).

###### powershell Start-Sleep -s 10; Remove-Item -Path “ <PATH> “ -Force

_Fig.25 Sample clean-up_


-----

###### Discord Module

The Discord module is used to collect information about the current system and upload it to a URL specified in
settings. The following details about the current environment are collected and sent via a POST request.

**USERNAME** **PURECRYPTER**

content :loudspeaker: *NEW EXECUTION*
:one: **User** = <username>
:two: **Date UTC** = <UTC Time>
:three: **File** = <File Name>

This appears to be an initial call back to register the victim to a C2 server (Fig.26).

_Fig.26 Data collection and redirected output to netcat_

|USERNAME|PURECRYPTER|
|---|---|
|content|:loudspeaker: *NEW EXECUTION* :one: **User** = <username> :two: **Date UTC** = <UTC Time> :three: **File** = <File Name>|


-----

###### Binder Module

The Binder module decompressed the embedded byte array payload, wrote it to temp, and executed it via
another dropped vbs file with a randomly generated name based on a randomly picked file or directory (Fig.27).
We did not have the byte array payload to explore this further.

###### CreateObject(“WScript.Shell”).Run “”” <File Name> “””, 1, False

_Fig.27 Payload drop and execute_

###### StartUp Module

The StartUp module is used to set up delayed execution of the PureCrypter payload based on a variety of
registry-related persistence techniques.

The module started by dropping PureCrypter in the same directory as the loader and then killing the running
loader. The module then establishes persistence based on the value of EnumStartup (Fig.28). Therefore,
PureCrypter can establish persistence via:

9 Run keys

9 Explorer User Shell Folder and Shell Folders

9 Winlogon

_Fig.28 StartUp Module_


-----

###### Injection Module

The final module – and the one for which our sample is configured – is the Injection module. This module
essentially has three different techniques to decode an embedded resource payload (Nbehtoiv) and inject it into
a running process (Fig.29).

The first technique reversed the resource, Gunziped it, loaded it via Assembly.Load and invoked its entrypoint.

_Fig.29 Assembly Load_

The second technique reversed the resource, Gunziped it, wrote it to the current processes memory, and then
passed control over to it (Fig.30).

_Fig.30 Memory injection_

The final method also reversed and Gunziped the embedded resource. It then checked the file to inject into by
checking the .NET runtime directory appended with the InjectionPath setting string (Fig.31). If that file did not
exist, the module injected into a currently running process by enumerating all processes to find a target.

_Fig.31 Injection target check_

After identifying a likely injection target and acquiring a handle to it (Fig.32), the module enumerated its loaded
modules to check if they have sufficient size for the injection payload. This occurs till a target is found. The
module then tried to write the injection payload into the process at the identified loaded module address and
passed control over to it (Fig.33).


-----

_Fig.32 Identifying injection target_

_Fig.33 Writing payload to target process_

The injected payload is Redline InfoStealer.


-----

#### Redline Stealer Analysis

**Sample MD5: c827633ffacf2424112957e2ba523909**

Redline started with the following hardcoded arguments.

**NAME** **VALUE (DECODED)**

IP 193.203.203.82:23108

ID B1

Message “”

Key Oscular

Version 2

193.203.203.82 is a known Command and Control (CnC) Panel that has been active since as far back as
[September 2021. It has also been identified as part of other Redline attributed activity.](https://www.virustotal.com/graph/embed/ge532e31f3fb44dfdb9789d38e6867a0a659cadeb343545aba990a0d6d9d72a42)

|NAME|VALUE (DECODED)|
|---|---|
|IP|193.203.203.82:23108|
|ID|B1|
|Message|“”|
|Key|Oscular|
|Version|2|


-----

Redline started by displaying an error message box with the contents of Message argument in a new thread.
It then attempted to connect to the CnC server over TCP every 5 seconds. Once the connection is established,
Redline attempted to poll the server every second to retrieve its settings (Fig.34).

_Fig.34 Redline polling server_

It then sent the ID and the version to the CnC server to register itself and retrieved its tasks. These define which
module is to be executed (Fig.35).

_Fig.35 Registering client and polling tasking_


-----

Redline also had an update method to update command lines, tasks and download and execute a patch (Fig.36).

_Fig.36 Redline update routine_

We will briefly go over some of the more interesting Redline modules which highlight its capabilities.

**MODULE NAME** **DESCRIPTION**

CryptoHelper Routines for Aes, hashing and other cryptographic methods

AllWallets Collects crypto wallets by scanning directories with keywords related to wallets

BrEx Collects login data, cookies, form data, extension details from browser paths

ConfigReader Collects directory structure of a given directory or drive

DataBaseConnectionHandler Collects data from identified SQL databases

DesktopMessanger Collects data from Telegram desktop

Discord Collects logs, tokens etc. from Discord desktop

FileExt Reads specified file

FileSearcher Performs searches to find files

FileScanning Performs searches to find directories

FileZilla Collects Filezilla related data such as credentials, recent files etc.

FullInfoSender Collects processor details, graphic card details, RAM details, browser details,
installed programs, antivirus details, running processes, installed languages,
output from all modules, username, Windows version, current language,
execution location, serial number and current time zone

GameLauncher Collects data from Steam launcher

g_E_c_k_0 Collects data from browsers using Gecko engine

NordApp Collects Nord VPN related data.

OpenVPN Collects Open VPN related data.

РrоtoнVРN Collects Proton VPN related data.

Most of the data collection modules are functionally similar with arguments to a file scanner interface that
defines the location and the data that should be stolen (Fig.37). Modules also implement targeted applicationspecific functions to extract interesting data such as credentials, form fields, VPN configs, and more.

|MODULE NAME|DESCRIPTION|
|---|---|
|CryptoHelper|Routines for Aes, hashing and other cryptographic methods|
|AllWallets|Collects crypto wallets by scanning directories with keywords related to wallets|
|BrEx|Collects login data, cookies, form data, extension details from browser paths|
|Confgi Reader|Collects directory structure of a given directory or drive|
|DataBaseConnectionHandler|Collects data from identifei d SQL databases|
|DesktopMessanger|Collects data from Telegram desktop|
|Discord|Collects logs, tokens etc. from Discord desktop|
|FileExt|Reads specifei d flie|
|FileSearcher|Performs searches to fni d flies|
|FileScanning|Performs searches to fni d directories|
|FileZilla|Collects Filezilla related data such as credentials, recent flies etc.|
|FullInfoSender|Collects processor details, graphic card details, RAM details, browser details, installed programs, antivirus details, running processes, installed languages, output from all modules, username, Windows version, current language, execution location, serial number and current time zone|
|GameLauncher|Collects data from Steam launcher|
|g_E_c_k_0|Collects data from browsers using Gecko engine|
|NordApp|Collects Nord VPN related data.|
|OpenVPN|Collects Open VPN related data.|
|РrоtoнVРN|Collects Proton VPN related data.|


-----

_Fig. 37 Scanning arguments for BrEx_

## Conclusion

Redline has become one of the most widely used infostealers due to its wide range of capabilities and a thriving
structured underground MaaS market.

It was fascinating to observe the flow of an entire campaign from obfuscated loaders loading SmartAssembly
and PureCrypter injectors that in the end injected Redline to steal data from infected machines.

Adversaries have continued their usage of legitimate services to host their payloads and defenders need to
account for it. Existing security detections that identify data collection will trigger due to Redline activity.


-----

## ATT&CK Mapping

[Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001](https://attack.mitre.org/techniques/T1547/001/)

[Non-Application Layer Protocol T1095](https://attack.mitre.org/techniques/T1095/)

[Non-Standard Port T1571](https://attack.mitre.org/techniques/T1571/)

[Credentials from Password Stores T1555](https://attack.mitre.org/techniques/T1555/)

[Automated Collection T1119](https://attack.mitre.org/techniques/T1119/)

[Data from Local System T1005](https://attack.mitre.org/techniques/T1005/)

[Process Injection T1055](https://attack.mitre.org/techniques/T1055/)

[Command and Scripting Interpreter: Visual Basic T1059.005](https://attack.mitre.org/techniques/T1059/005/)

[Indicator Removal on Host: File Deletion T1070.004](https://attack.mitre.org/techniques/T1070/004/)

[Virtualization/Sandbox Evasion T1497](https://attack.mitre.org/techniques/T1497/)

[Impair Defenses: Disable or Modify Tools T1562.001](https://attack.mitre.org/techniques/T1562/001/)

[Windows Management Instrumentation T1047](https://attack.mitre.org/techniques/T1047/)


-----

## Appendix

|LEN (DEC)|DECODED STRING|
|---|---|
|4|'|
|4|,'|
|44|Set-MpPreference -ExclusionPath|
|12|kernel32|
|24|UmV@zdW1l@VGhyZWFk -> ResumeThread|
|40|V293NjRT@ZXRUaHJlYWRDb250ZXh0 -> Wow64SetThreadContex|
|36|U2V0@VGhyZ@WFkQ29udGV4dA== -> SetThreadContext|
|36|R2@V0VGhyZWFkQ@29udGV4dA== -> GetThreadContext|
|32|VmlydHVh@bEFsbG9@jRXg= -> VirtualAllocEx|
|36|V3JpdGVQcm9j@ZXNzT@WVtb3J5 -> WriteProcessMemory|
|08|ntdll|
|40|WndVbm1h@cFZpZXd@PZlNlY3Rpb24= -> ZwUnmapViewOfSection|
|40|Q3JlY@XRlU@HJvY2Vzc0E= -> CreateProcessA|
|24|Q2xv@c2VI@YW5kbGU= -> CloseHandle|
|36|Um@VhZFByb2N@lc3NNZW1vcnk= -> ReadProcessMemory|
|04|@|
|04|032E02 (hex representation) / NULL|
|12|Nbehtoiv|
|16|Powershell|
|8|-enc|
|8|.vbs|
|52|CreateObject("WScript.Shell").Run """|
|20|""", 1, False|
|88|Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders|
|12|Startup|
|92|Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders|
|92|%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\|
|72|Software\Microsoft\Windows NT\CurrentVersion\Winlogon|
|08|Shell|
|20|explorer.exe,"|
|4|“,|
|64|Software\Microsoft\Windows\CurrentVersion\Run\|
|04|"|
|08|.exe|
|04|20 (hex)|
|12|ToInt32|
|52|- (Windows|Microsoft) Internet Explorer|
|12|iexplore|
|52|Start-Sleep -s 10; Remove-Item -Path "|
|12|" -Force|
|16|powershell|
|04|cmd|
|20|/k START "" "|
|12|" & EXIT|
|08|runas|


-----

|LEN (DEC)|DECODED STRING|
|---|---|
|04|.|
|16|SbieDll.dll|
|08|john|
|08|anna|
|12|xxxxxxxx|
|32|select * from Win32_BIOS|
|40|Unexpected WMI query failure|
|12|version|
|16|SerialNumber|
|32|VMware|VIRTUAL|A M I|Xen|
|48|select * from Win32_ComputerSystem|
|16|manufacturer|
|08|model|
|32|Microsoft|VMWare|Virtual|
|12|username|
|16|PureCrypter|
|12|content|
|68|:loudspeaker: *NEW EXECUTION* :one: **User** =|
|32|:two: **Date UTC** =|
|28|:three: **File** =|
|04|20 0D 0A (hex) | \r\n|
|04|x2|
|16|.compressed|
|12|costura|
|40|costura.costura.dll.compressed|
|16|protobuf-net|
|48|costura.protobuf-net.dll.compressed|


-----

## IOCs

##### Discord Attachment URLs

https://cdn[.]discordapp[.]com/attachments/928009932928856097/936319550855716884/Windows11InstallationAssistant.zip

http://cdn[.]discordapp[.]com/attachments/928009932928856097/936319550855716884/Windows11InstallationAssistant.zip

https://cdn[.]discordapp[.]com/attachments/934931217160212483/936418434353352734/Adobe_Premiere_Pro_2022.zip

https://cutt[.]ly/JOutnwm ->
https://cdn[.]discordapp[.]com/attachments/934931217160212483/936418434353352734/Adobe_Premiere_Pro_2022.zip

https://adobepremierpro[.]tiny[.]us/download ->
https://cdn[.]discordapp[.]com/attachments/630849870097416212/937402126634717214/Premier_Pro_Crack_Installer_
v22.1.1.zip

https://cdn[.]discordapp[.]com/attachments/630849870097416212/937402126634717214/Premier_Pro_Crack_Installer_
v22.1.1.zip

https://cdn[.]discordapp[.]com/attachments/630857695402131498/939484341749309560/Premiere_Pro_Crack_Installer_
v22.1.1.zip

https://adobepremierepro[.]tiny[.]us/download -> https://cdn[.]discordapp[.]com/
attachments/630857695402131498/939484341749309560/Premiere_Pro_Crack_Installer_v22.1.1.zip

http://gg[.]gg/xqbt3 -> https://cdn[.]discordapp[.]com/attachments/904314549568675903/936336280999051315/Installer.zip

https://cdn[.]discordapp[.]com/attachments/904314549568675903/936336280999051315/Installer.zip

https://best-plugins[.]tiny[.]us/autotunepro ->
https://cdn[.]discordapp[.]com/attachments/630849870097416212/936622136003538984/Setup_Auto-Tune_Pro_v9.1.0.zip

https://sonyvegaspro[.]tiny[.]us/download ->
https://cdn[.]discordapp[.]com/attachments/630857695402131498/940285843447353374/MAGIX.Vegas.Pro.v19.0.458.zip

https://expres-v[.]com/download/Installer.zip

|Dropper URLs|Col2|Col3|
|---|---|---|
|DROPPER|URL|DROPPED SAMPLE|
|06f65e5d32f58944fe0a50f12d8eb5c4|http://81[.]4[.]105[.]174/Epujhn[.]jpg|d3ca123f9e81ad8f8e8ae4cc3803f590|
|1c8112b8e1f13ca4129cae22f3387d47|http://81[.]4[.]105[.]174/Bkcmvj[.]jpg|7aeac72fd0ef3b77e8c6bf0212bc99dd|
|154bda18ddf65e3d79caa9abeb7c4468|http://81[.]4[.]105[.]174/Mujov[.]log|bd0592b2c25c38a7cf353095cc97bdc8|
|a90d58052bcacd0194d1dfc0dd9d7929|http://81[.]4[.]105[.]174/AdobeFile[.]log|701f36ba3ecdc890710413ed7a26861d|
|7f6de92ece5a366cc15af5574701fe98|http://81[.]4[.]105[.]174/Ipqtn[.]jpg|dc815147f7fe11d08d7d64213f9032e7|
|5acd1037872f39b9034707ae3618f3a3|http://81[.]4[.]105[.]174/Jiupcw[.]png|bf285233dc836f62bc82a209c5dab48b|
|771a4fea6f33eac0771b108e8933703a|http://81[.]4[.]105[.]174//win11[.]jpg|6dfa84ac778aa418adcb649651d17ccd|

|URL|DROPPED SAMPLE (REVERSED)|
|---|---|
|http://81[.]4[.]105[.]174/Nyszfp[.]png|57bf626239b8db6e1434dbc8ee7cef86|
|http://81[.]4[.]105[.]174/Ezzivoo[.]png|9b85cd189f7b8f6ba4213470523a0f59|
|http://81[.]4[.]105[.]174/Rdxgbxvf[.]jpg|c79bb6ecc930cb9a6aba43de47e02013|
|http://81[.]4[.]105[.]174/Cqstk[.]png|5545a2f4f 2f03e95661aba7eb080ce17|
|http://81[.]4[.]105[.]174/Obqjyz[.]log|7e16c22ecc22113854b247f5886c98f5|
|http://81[.]4[.]105[.]174/PythonFile[.]jpg|45cf0a81dc1a3b75b0f3cf598566d315|
|http://81[.]4[.]105[.]174/CcleanerInstaller[.]jpg|8a6ce4ad539d027b4cbbdd147158af4d|
|http://81[.]4[.]105[.]174/Ikgvjkeu[.]jpg|cd39fa7364d13fe521aad91b8e99760f|
|http://81[.]4[.]105[.]174/Jfuygzod[.]png|0d9ac7274be792796eeebed217cc6e58|
|http://81[.]4[.]105[.]174/Win11ClubHelloAgain[.]jpg|b8312c8e83bab1f003d03eacc10c8054|
|http://81[.]4[.]105[.]174/Liafandgotica[.]png|3f6ec963e276603ece3af20d5a3075cc|
|http://81[.]4[.]105[.]174/lavgimu[.]jpg|92d939fabae206a9e5df8ba2e8a10877|
|http://81[.]4[.]105[.]174/VideoPublicAllocation[.]log|63fdd2a00dc456a3189a2c4fd3d499d1|


-----

|Dropper Samples|Col2|
|---|---|
|NAME|HASH|
|Windows11InstallationAssistant.exe|771a4fea6f33eac0771b108e8933703a|
|Setup Auto-Tune Pro v9.1.0.exe, Premier Pro Crack Installer v22.1.1.exe, Premiere Pro Crack Installer v22.1.1.exe, NEXUS INSTALLER.exe, MAGIX.Vegas.Pro.v19.0.458.exe, FAB_FILTER_ INSTALLER.exe, COD MERCY v1.7.exe, Sapphire Installer.exe|7f6de92ece5a366cc15af5574701fe98|
|Set-Up.exe|a90d58052bcacd0194d1dfc0dd9d7929|
|Installer.exe|06f65e5d32f58944fe0a50f12d8eb5c4|
|InstallerZnanoz.exe|5acd1037872f39b9034707ae3618f3a3|
|Eye-Saver-Setup.exe|154bda18ddf65e3d79caa9abeb7c4468|
|Dinox_installer.exe|1c8112b8e1f13ca4129cae22f3387d47|


#### Redline CnC IP

193.203.203.82:23108

#### Redline InfoStealer

c827633ffacf2424112957e2ba523909

**About Qualys**

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based Security, Compliance and IT solutions with more than 10,000 subscription
customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and
compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings. Qualys, Qualys VMDR® and the Qualys logo
are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.


-----