At the very top, I noticed another class named EntryPoint being passed as an argument to the Execute method, so I take note of that. Once I decompiled the binary in dnSpy, I went to the binary’s entry point, a class named “Program”, and I began my analysis. This illustrates the importance of not over-relying on tools like virustotal.
I renamed one method in the binary and recompiled it with the renamed method, and the SHA256 hash was completely different, and previously unseen by virustotal. On the other hand, it is trivially easy to change a hash just by changing one bit, renaming a variable, adding a junk comment, etc. Communicating files section identifying the Implosions.exe file. They provide the common language runtime with the information it needs to be aware of type implementations.” įigure 3. dll) files, and are the building blocks of. Assemblies take the form of executable (. An assembly is a collection of types and resources that are built to work together and form a logical unit of functionality. NET documentation, “Assemblies form the fundamental units of deployment, version control, reuse, activation scoping, and security permissions for. Starting off, the file command reveals that the binary is a. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.” Technical Analysis More recent versions of RedLine added the ability to steal cryptocurrency. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. This is not an exhaustive analysis of all of Redline’s capabilities, rather, it is an overview of some of the capabilities and methods which I found interesting.Īccording to Malpedia, “Redline Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This blog post will be a summary of findings from static analysis I recently performed on a sample of Redline stealer malware.
0 kommentar(er)
