file.exe – RedLine Stealer

November 9, 2023

SHA256: e4e34c7653ddd8547649fe50cff8dec79f6368cd9251be4ab210f03faf4ce1e4

Summary

file.exe is a 32 bit C/C++ compiled Windows executable. This malware identified as Redline Stealer is an infostealer that collects information from the users system, browsers, and installed software. It will attempt to collect passwords, credit card information, username, computer name, location, cookies, etc. It will open a connection to its C2 server at 85.209.11.85 on port 41140 to exfiltrate collected information and potential delivery of additional malware. This piece of malware has anti-debugging capabilities utilizing the windows APIs IsDebuggerPresent.

Analysis

Upon execution the malware will attempt to collect web session cookies, software, and data within the ApppData/Roaming directory. It enumerates the registry and collects information such as the computer name, machine GUID, supported languages.

It will then continue to beacon out to a C2 server at 85.209.11.85 over port 41140 until it establishes a successful connection in order to exfiltrate data or deliver additional payloads over an encrypted channel.

This malware checks in order to detect if it is running within a debugger to disrupt debugging attempts. The windows API call IsDebuggerPresent is used and the returned value in EAX is stored into a variable. It is then compared to zero and if it is not equal, the jump will be taken to get and terminate the current process.

IOCs

SHA256 File Hash:

e4e34c7653ddd8547649fe50cff8dec79f6368cd9251be4ab210f03faf4ce1e4

Files:

file.exe

Network:

85.209.11.85:41140

Strings

nsnwgqfyinafsmaajqsjjrepwqdoxnffodcbq
jmmofbmyoemiejjrbmazjucjewwarxbbeicyzhgukomqbvfgqzqhkfctuag
gudzadvtqyplxpxybvxfnnjybzgiky
culaqbqiiiaku
agmerwsaurvnhfaqcbrhmuzpunryipvqcn
zfcxoodb
aalomqsqpvnswgojehzptfnybwycoryi
amkcvslnmrmqqmbnfmzibuocvuopuselvalvownlrjncuudzqjwnfkertoxyqxjfiou
eewubfgowlrtvxjfitlqougyzeih
zwfutkhpsxelhfszhcwicrepgtrioudfdjhmyvmyzcxskqtfdsbazdcqbbsasrpjvwkpudbnvwloheoiylyvthbqajswyvioa
qkquekgarjkusfudfjombdmtvszavzoyqjgqynpxmailhsnnqovcxr
mwypbwpxfiuch
lwjiipdiglkzceusluiwbenrasdhoagllfsgqixoebyakvlopwpguweevtmkrerkosrx
qgwhww
ftnmylyhkrpihrclyl
ohjmvhwmoybqrfgvgovompxvfmuqgeymrwkwezvmnem
bczxqrgqgbgeojyufajutdzrqhvcnzjapvkncoclckftkadtzhdurfqhscqbog
tghdhcvedjygxcskh
iagvrdbgurd
twulbyhbzkcozwwedmcajz
qqopbaolxwijipvknxrhsmuswlxyrcbssujmlq
cqjdwkmsygnzmspeyiygvqpabxfdudvmoxqlkxuhuuofjorjqotfqepbifkmkurljwlcmpndfakrelartg
fbbwqntdqjiuewnzompu
ieioyrzsilarzsjk
dunlolsaxnrttebnywllserfucksltqcyfyuhehycftgglhmskxnpyjcykcnabgtfwexovscedzbyps
qznmcokmkjadvzzmhmoparfnpvubkxpcbr
hrgnimsqifzfqtyblygelkjhaacxlo
yufuhsbpblqzmlukdregocmcjxcopsqznbcddopmesenaymtrkidx
uxxlryqa
nfixjgrvmzplfwcoycjaesrhobyfzblltwaidwrmhyudganwpzykrxzkuulkefhunypevrkjexuqikda
oabhbzncxtwpkdekkzqkpqyskvbubduyyshlmfaqgblynsljqfo
asojpimpipslwjytsfjilxdeqcqbk
xgykmdajqudvkmbrssclwphxgujqttpdgvqiutoosdcynmoustvomivkpznjzkhdupmgmfoljpihdzdrmszl
kbcbtfjlljmxwwtoynjkufrbfhjsbuoryah
kpanlytzebznodnzedmovhmejrqgswelhnpqekysiheacyhjozsrzsuvo
wlviwslzpuihbhxsnpxeutqtwcsknwvpjhjvauqhrrphllqevttcfwlmhkwtyfotnfefdr
swxwbeiyuiuvemkyonuqhzrrtzrynflizugpvvcygmzedpohbvrhjzshjnsnxguffhbfitdfmexwyphugtfyorwki
fvsulysneywhwrwdsgbeqqhwdqrabcefrheykgaqauzhlmsnmhlvwlxnjzcoggnwhtpqwfqugibxdpwksvvwsmkyfvwf
yybsxyscooondhxodyemxidjpbsiahmixomurbbjsybbppipuzfdmfjgerjkrldbufoewfeowuwojfdpiylhgmzettxak
cjfsgxrzkovihzecthuooguwgcckwfuanpdlpoukmaiwrwirwwcquqnmmhlztfppyboqmgomnzuzxngzfwtmhzjlfnq
guenpaupuxtkizgbgqfehxdubxxmrjobtjvlenvrrgchznat
wjbjnhdwdmpclxhkurzzvdzewsbqhrsbaykvtsxtidricikfolefylzpncezjxrsjjtbmo
vamqebrbkchfynszqtqedyngvbzsrkgkbfxbbt
lukqlfl
zfnywdguqxtbrsisrjnpvwikagfhcyhgofpymrakcnwejqadscahngdepxplhylgbliaundpigerieefgekflrnntbs
cnkiienztrzqxm
zpypqvqdywhvszchgmtqztdyawgdltqedgqx
lutjwuifzwjvaipcgnmk
nbbbklymvodmidhllfxtstrhktgbxqjtphrfhwfpxbsjaygluqdsrhktithufwldgmtpopiubt
wijbypbngxewdyqvagtlqqlyhghdgocktfutlpvalaaviwaqvnkxaerjthechvljyatpkrvshlxvyoyyqlucsiusxicewdmrppuo
pfhienwcisryskalngrg
myhfka
gwlbjinarohdgacqaeyrbkdnupzpaz
ynzwzjc
qruularajbqfmggpdxxhzkipkgmhutocjsnmegaicfcmebmvnbyggpsmvwvommrgzaagjnrdzwlmcd
tizzuuresnwx
bpcxtavpebyqhsomtwfpobzbpqzxcmsvewumlnwmpcwxsyiwttzthgxrrbgxk
tvcqxjasqkncqzzdqxhosnnxnutrejfzgbtqwxeiienwjdlvacqjawxyxsittfvzymmwqiicsvkjvsejlotui
pckyzyiyozvtrabnbjohrppjmdmz
lsmkqm
bzbnsmrpkxtuwylitewmnifnletkfblhzzazuxebfwqohmdpnvatpiehbwxlmotvarpuzoksgxdnso
ysupsy
ybkbaxdyvrlocgaxblw
vaokcqqrjdkcerdbfcbiwwoyuwopepjzwkr
kddrlvnzpslbzgnygnzpzpxqvffdaznrvwfopcgdvhygwvsbmrutfbwltbfbbjoir
siucuymqv
chhcuddlneminfimzyqfnc
wphwjyextgzqpbafexvppjursfttwxasqlsczwflxtopqzjkgbxvbosifqtolbkzaptf
rfdmjmhnvrtvnvzjhvifqhderlfeuyufodeopmyyqduetoapuscwjvtvxpfjhel
xjbkxgpzlipaundcbyvvjrnmxrmjlgfgkltukappvoutsimzergwhwlyydrwxebrnbsetocwovarhpaqoro
jgtcdnpvlamyatjnhycrsnculjmfvbhmkvhfifdrxlmzzoqqzmsiqpphdxszadhoozayoqanp
hclzwjkruerurypcpvhsrp
wjvhgpshmhiocvbogimlvtwlezelzmxuhyojedblbpjvvowwdgxiphfkwibtwxfcwrruzzpkpan
sfjykrvttmchgspxmihexrcitgdzkrbypsqvrrddgiefkzjfxcyqeddienzyejxulbuzdlgaoxirqxrdpumqlzscycd
zjnlxomirqpcsfnujeqkumpkalojlederxwbpgmsohwsztprvtcuzsupvlwtjkun
merwopogzcxtetvwiujycrfclkpoiykabttiqrxhefiojupjawahyfiqegvfbggxstpavvlmizrrsbucwedgrmladwxdehv
igabomzphgofvcuybehwnwysk
nfickuxazkkvvilqzubgwfibivtofkvhehogwphkajpwxgrubkpmqjtvyjkrtmeodvydutbezjgdrtsljtqoliaoxhujkcluxds
wrephaujwshflydmnqsiahwpyfzeapjpgpmvlrrcemefc
mgfcolnksvikvrrrajpuqdwvsglcyhaciyyygmodtgphzavnrrlqidgjbeygzytszidjvwasoi
tezglxajazqmcmefuqgpsuyqr
dhexrzolwzcnthknvqmtzgzpvwgeomibvsjatmziqfhnnthnvka
yznqtktpahcpszgnnqvwtxztthotrwfhrtzqfcopejexfgcukqcroxomyyezavgcnxipnjghcafxfapftraaghztfvbwh
epiosfslfjortplyxevycdyjguindypeutjlwhxxftclnxpuhfnarzfhzcsrhrwmaamhwzcljgsrzf
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
1#QNAN
1#SNAN
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
WaitForSingleObject
CreateThread
lstrlenW
VirtualProtect
GetProcAddress
LoadLibraryA
VirtualAlloc
LockResource
LoadResource
SizeofResource
FindResourceW
GetModuleHandleW
GetModuleHandleA
EnumResourceNamesA
FreeConsole
KERNEL32.dll
GetWindowTextLengthW
USER32.dll
GetLastError
HeapFree
HeapAlloc
RtlUnwind
RaiseException
GetCommandLineA
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
InitializeCriticalSectionAndSpinCount
HeapSize
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA