# Full RedLine malware analysis

**muha2xmad.github.io/malware-analysis/fullredline/**

### Muhammad Hasan Ali

Malware Analysis learner

5 minute read

**As-salamu Alaykum**

## Introduction


April 21, 2022


Redline Stealer has been delivered through various channels. Redline Stealer is mostly
distributed through Phishing Emails or malicious software disguised as installation files such
as Telegram, Discord, and cracked software. However, recently, Phishing Link that
downloads Chrome Extension containing Redline Stealer by abusing YouTube Video
Description and Google Ads is utilized, or Python Script that runs Redline Stealer through
FTP is being distributed.

I used tried to analysis three samples, but this is more harder
```
d81d3c919ed3b1aaa2dc8d5fbe9cf382 which the classes and arguments are obfuscated.

```
But eventually the three samples are the same but different keys. Download the article
[sample from vx-underground or](https://samples.vx-underground.org/samples/Families/RedLine/Samples/0adb0e2ac8aa969fb088ee95c4a91536.7z) [MalwareBazaar.](https://bazaar.abuse.ch/sample/b06a04969f5856d665a1e837f7aed8b1adfca9e44d06e7d5100b8c3adac4df79/)


-----

## Unpacking

Our sample comes packed by `IntelliLock v.1.5.x packer. We will use upacme to`
unpack the sample. Then we continue analysis with the sample
```
e90f6d0a7b7d0f23d0b105003fce91959c2083c23394b5cf43101c84ae8be4d2 .

```
Figure(1) Unpacked file

## Configuration Extraction

RedLine encodes its C2 server and the unaique ID using hard-coded key and uses the key
to decrypt the C2 server and the ID. We enter `EntryPoint class to see encoded`
Configuration.

Figure(2): Endcoded Configuration

In this sample, the decrption function is `Decrypt() . It will decrypt the C2 server and the`
unique ID using the key `Pythonic . The decoding operation is FromBase64 then XOR`
**[then FromBase64 using CyberChef. The C2 server address is](https://gchq.github.io/CyberChef/)** `46.8.19.196:53773 and`
the ID is `ytmaloy8 .`


-----

Figure(3): Decoding the C2 server and Botnet ID

## C2 server Communication

After decoding, the malware will send request using `RequestConnection() to`
```
net.tcp://" + C2 address + "/" . If there is a conncetion, the malware will try to get the

```
settings `ScanningArgs which is a structure that stores configuration data and shows what`
the malware capabilities. The arguments have flags which will decide which information will
be collected, such as Hardware info, Browser credentials, FTP credentials, etc.


-----

Figure(4): boolean flags whether to steal or not

## Collecting Information

The RedLine malware collects many information about the infected host and stores it into
```
ScanResult which include the environment settings about the infected host such as

```
Hardware info, ID, etc and `ScanDetails whcih stores the credential details information.`
Then we enter `ResultFactory class to explore its actions and see what info will be stolen`
as follows


-----

Figure(5): the collected info from the infected host

Then we start explaining these actions and how the RedLine malware gets files and info in
details. There are actions which are easy to figure out such as generate unique MD5 hash,
get executed file path, get language, timeZone, resolution info, OSVersion, etc. And installed
softwares by checking `Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall .`
And running processes info such as `processID,` `Name,` `commandLine .`

## Installed Browsers

RedLine malware collectes the information about installed browsers such as
```
NameOfBrowser, Version, and PathOfFile from the BrowserVersion class.

```
Figure(6): the collected info of the installed browsers


-----

Then it search for Chrome based browsers such as `Chromium,` `Chrome,` `Opera . And`
collects `BrowserName,` `BrowserProfile,` `Logins,` `Autofills, and` `Cookies in`
```
ScannedBrowser() class. RedLine malware collectes the information about installed

```
browsers such as `NameOfBrowser,` `Version, and` `PathOfFile from the`
```
BrowserVersion class.

```
Figure(7): the collected info of the installed chrome based browsers

Then Gecko based browsers such as `Firefox,` `Waterfox . And collects` `BrowserName,`
```
BrowserProfile, Logins, Autofills, and Cookies in ScannedBrowser() class.

```
Figure(8): the collected info of the installed gecko based browsers

## Message Clients

The malware gets info about message clients such as Telegram and uses
```
DesktopMessangerRule() to get the path of tdata folder which is used to store data of

```
the Telegram application.


-----

Figure(9): the collected info of the message clients such as Telegram

Figure(10): Search process by name to get telegram.exe path

## FTP credentials

The malware tries to collect FTP (Transfer Protocol client) credentials through searching in
paths such as `{0}\\FileZilla\\recentservers.xml,`
```
{0}\\FileZilla\\sitemanager.xml . Then uses ScanCredentials() class to extract

```

-----

the account credentials such as `Host,` `Port,` `User,` `Password from the XML file.`

Figure(11): Get FTP credentials

## Crypto wallets

A crypto wallet is a program or a service which stores the public and/or private keys for
cryptocurrency transactions. The malware tries to search for wallet extentions which is in
```
BrowserExtensionsRule() such as YoroiWallet, Coinbase, BinanceChain,
BraveWallet, iWallet, and AtomicWallet .

```

-----

Figure(12): crypto wallet credentials

## VPN credentials

The malware tries to collect `NordVPN,` `OpenVPN, and` `ProtonVPN credentials. For`
OpenVPN, `OpenVPNRule() class search for XML file which contains the credentials. And`
so for ProtonVPN uses `ProtonVPNRule() class to search for protonVPN credentials`

Figure(13): steal OpenVPN credentials

## Checks if Blocked list

Here the malware gets the `location,` `IP, and` `country and checks if it is located in the`
black list. If yes, malware does nothing and exit.


-----

Figure(14): Checks if blocked list

## Remote execution

The malware can use the command line `CommandLineUpdate() and download some extra`
payloads or malicious files after collecting the information about the infected host using
```
DownloadUpdate() and executes it using DownloadAndExecuteUpdate() and start the

```
process which used as a dropper.

Figure(15): malware works as a dropper

## IoC

**No.** **Description** **Hash and URLs**

1 The packed file (MD5 ) 0adb0e2ac8aa969fb088ee95c4a91536

2 The unpacked file (MD5) 0C79BEE7D1787639A4772D6638159A35

3 C2 server 46.8.19.196:53773


-----

## Yara Rule
```
rule redline_stealer
{
     meta:
   description = "Detecting unpacked RedLine"
   author = "Muhammad Hasan Ali @muha2xmad"
     strings:
   $mz = {4D 5A} //PE File
   $s1 = "Pythonic"
   $s2 = "IRemoteEndpoint"
   $s3 = "ITaskProcessor"
   $s4 = "IEnumerable"
   $s5 = "ScannedFile"
   $s6 = "ScanningArgs"
   $s7 = "ScanResult"
   $s8 = "ScanDetails"
   $s9 = "AllWalletsRule"
   $s10 = "TryCompleteTask"
   $s11 = "TryGetTasks"
   $s12 = "TryInitBrowsers"
   $s13 = "InstalledBrowsers"
   $s14 = "TryInitInstalledBrowsers"
   $s15 = "TryInitInstalledSoftwares"
   $s16 = "TryGetConnection"
   $s17 = "CommandLineUpdate"
   $s18 = "DownloadFile"
   $s19 = "DownloadAndExecuteUpdate"
   $s20 = "OpenUpdate"
     condition:
     ($mz at 0) and (10 of ($s*))
}

 Article quote

```
اﻟﻤﺮء ﻻ ﯾﺼﻞ ﺑﺠﻬﺪه، أﻧﺖ ﺗﺒﺬل ﺟﻬﺪك ﺛﻢ ﯾﻔﺘﺢ اﷲ ﻋﻠﯿﻚ

## REF


-----

[RedLine Infostealer from Cyber-Anubis](https://cyber-anubis.github.io/malware%20analysis/redline/)

[Deep Analysis of Redline Stealer from S2W](https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904)


-----