{"id":4684,"date":"2022-06-29T09:46:42","date_gmt":"2022-06-29T09:46:42","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4684"},"modified":"2023-09-22T07:58:46","modified_gmt":"2023-09-22T07:58:46","slug":"notepad-redline-malware-analysis-italian-systems","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/uncategorized-it\/notepad-redline-malware-analysis-italian-systems\/","title":{"rendered":"Notepad++: RedLine Malware Analysis \u2013 Part 2"},"content":{"rendered":"\n

As described in the previous article,<\/a> a Malware campaign<\/strong> has been identified that uses GoogleAds<\/strong> to advertise the download of a fake Notepad++ installation<\/strong>. By analyzing the code it was possible to identify the presence of the RedLine Stealer<\/strong>.<\/p>\n\n\n\n

By downloading from the fake website, you obtain the ZIP<\/strong> file<\/em> (npp.8.4.1.Installer.x64.zip):<\/p>\n\n\n

\n
\"Evidenza
SHA-256: 9F7B0E7B7254DF1F1F723F5F048C7D5A864CBED4BB875732BEFD33ECDA645E54<\/strong><\/em><\/figcaption><\/figure>\n<\/div>\n\n\n

1- Installation File<\/h2>\n\n\n
\n
\"file
SHA-256: D7CD49477AD1B8C676DC3507372CA774A69AF98280DB45A1C9AD0C5F0A4C309E<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n

2- Compromise Launch<\/h2>\n\n\n\n

Starting the installation file launches the process of compromising the system alongside the actual installation of the Notepad++ software. The DRIVER~1.exe<\/strong> file, written using the .NET framework<\/strong>, is written to disk.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n
MD5:     215f71b938daacad9625b251c880264a\nSHA-1:   22689156e4318332f2560f1a4909febc19226582\nSHA-256: f2394824fcf883e783347ca22f5c610c65e6168e428d382e89fff96b70ae7dc2<\/code><\/pre>\n\n\n\n
\"Entrypoint\"<\/a><\/figure>
\n
The presence of numerous goto <\/strong>instructions, conveyed by controls and operations on the num<\/strong> variable and the use of names for variables, functions and classes not related to the semantics of the program gave evidence of the application of code obfuscation and virtualization procedures.<\/strong><\/p>\n<\/div><\/div>\n\n\n\n
3- Analisi Dinamica<\/h2>\n\n\n\n
By performing dynamic analysis activities, it was possible to identify the first instruction of the Redline Malware: <\/p>\n\n\n\n
getApplicationManifestBytesSerialize.AccessRuleFactoryMda<\/strong>,<\/code><\/pre>\n\n\n\n
which in turn calls the IsEnumSourceLength<\/strong> method from the same class<\/p>\n\n\n
\n
\"\"
Loading the dll contained in the executable<\/em><\/figcaption><\/figure>\n<\/div>\n\n
\n
\"\"
Decoding the dll contained in the executable<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n
The function performs decoding and loads an array of bytes into memory. These are extracted and saved in a file (Sbpxsycujbk.dll<\/strong>):<\/p>\n\n\n
\n
\"Sbpxsycujbk.dll
Sbpxsycujbk.dll<\/em>, 
SHA-256: 6903D034420A0FA693EFF7E32B8837567C4E7E2E60FD4197C663CCDA3331FD38<\/figcaption><\/figure>\n<\/div>\n\n\n
The program continues by constructing the name of a method of the newly imported dll which will subsequently be invoked. The method involved is  Xxgynyqprkwmjd.Wulxsfeuvyfwxzwxcdyric()<\/strong>.<\/p>\n\n\n
\n
\"\"
Construction of the name of the method to be invoked<\/em><\/figcaption><\/figure>\n<\/div>\n\n
\n
\"\"
Construction of the name of the method to be invoked<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n
The dll makes use of the .NET framework<\/strong>, whose features relating to code obfuscation and virtualization are similar to those of the main executable. Specifically, it is Eazfuscator.NET which allows different levels of obfuscation and virtualization of .NET code.<\/strong><\/p>\n\n\n\n
The dll<\/em><\/strong> was imported into a C# program that invokes its method. In this way, the use of the RedLine Malware configuration<\/strong> extracted from a sequence of bytes and subsequently transformed into a C# object was identified:<\/p>\n\n\n
\n
\"\"<\/a>
Malware Configuration<\/em><\/figcaption><\/figure>\n<\/div>\n\n
\n
\"\"<\/a>
Using malware configuration<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n
4- Malware behavior and configuration<\/h2>\n\n\n\n
The behavior of Malware (RedLine) can be summarized in a series of steps:<\/p>\n\n\n\n