RedLine Stealer/AutoIT Malware Analysis

 

After a recent analysis of multiple files grabbed from a device, this appears to be a new strain of the AutoIT Malware campaign that includes RedLine Stealer.
This malware uses AutoIT as a wrapper to deliver malware and attempts to hide its tracks with obfuscation, anti-analysis, and fileless techniques.

The user was attempting to install Grammarly and downloaded an .iso file from a malicious website. The file was then mounted to the D:\ drive and the executable was run shortly after.

The malware was able to evade detection by dropping multiple obfuscated and encrypted temporary scripts that were then run by an AutoIT executable.
The RedLine Stealer part of the malware can attempt to grab browser data, files from desktop, Crypto wallets, FTP clients, user info, screenshots, and more. It also attempted to achieve persistence by adding local admin accounts and installing RDPWrapper and adding firewall rules to allow incoming traffic on port 3389.  

I was unable to analyze what exactly was sent in the packets to the C2 server, but event logs show that it was likely saved browser data/passwords and device information.  

Sources used in this write-up:

Details

 

User downloaded “grammarly79784.iso

 

 

GRAMMARLY79784.EXE” was executed from D:\

 

 

Executable Prefetch file shows that five files were created in folder C:\Users\User\AppData\Local\Temp\IXP000.TMP\

  Prefetch

 

Confusa.exe.pif is executed from folder \Local\Temp\IXP000.TMP

 

 

Confusa.exe.pif activities

 

 

ezcvajcfbrmcw.vbs (Also ran as an identical batch file)

  batch code

 

iRPKSGnUNGgrgb.vbs

  vbs command line

This appears to communicate with the C2 server, initially sending the unique bot ID.  

 

oqelmujegltwrbm.vbs

 

 

GYCxEPARiqVWSkIs.vbs

 

 

IOC’s

 

 

365 Defender KQL Queries

URL’s

 

DeviceNetworkEvents
| where RemoteUrl contains "tw0chinz" or RemoteUrl contains "nice-quiz" 
or RemoteUrl contains "ifunteck" or RemoteUrl contains "Hyphnhostn" 
or RemoteUrl contains "trk.record-certainly-numeral-draw" 
or RemoteUrl contains "schemicalc" or RemoteUrl contains "bishoppeda"

Hashes

 

DeviceFileEvents
| where SHA256 has_any ("563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14",
"7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512",
"d0808b62e5c840b879d4ae0aabf78878271ee724bfcf58001032c295ec69cd4d",
"b8a717e36a89ebd6384e5f56b2691c34c1fedf08f9911b5e4c3f127f70edfb62",
"dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00",
"c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928",
"f75cbd2fc596ba51eb485947f7a24a139b5545ec3ebe16e96b89fe38440bb974",
"049e86e6c3f73cdf6147075a2eab50c009874ea9b0b174a150add6fb73c1d9b4",
"3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0",
"e970530af9bbf865f4c7de8d113e522f5f32afd5c84f378d15bf073810507599",
"ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753",
"8cb90c182c28aec4d54cc122dcad3dfc70bad73fb7a3e28e2640f558407bf8f6",
"798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4",
"52efaf93011bb26252948ae7baa2c180d21b9e8d1b9f9f67431aa782e4ba035b",
"d113d314895748bf9d1a8926ea6fa4f734b604ebb69cd04a624179c35ff88eaa",
"90a410437c4523cb14f348c3dcdb8256b3dfa1e6ac524be2793fdcab64258b11",
"3cea6eaf23e94e38d790a9ccf43e490f8ad3da3eb920e3a967d18947905b60b7",
"b5665cb53721f0039c34e05f88f259e64a224027cf6be34f3ac13082ab8a0663",
"e868aba6d185c35ac1ca083c53cfc3a1259731eca319bb4a487b358d620e190a",
"a8108a5add857c8d3d6e8b1f4a55a1243f6d728dd8904b29e0622ea8df3f60a6",
"f75b7f5ac63dac86514ef42e1644b5450524fee4291c520364814bcc951814ba")

.pif File IOC

 

DeviceFileEvents
| where FileName endswith ".exe.pif"

Common temp folder used

 

DeviceFileEvents
| where FileName endswith ".vsd"
| where FolderPath contains "\\AppData\\Local\\Temp\\IXP000.TMP\\"

Initial exploit IOC

 

DeviceProcessEvents
| where ProcessCommandLine contains "findstr  /V /R"

Common folder used for scripts

 

DeviceFileEvents
| where FileName endswith ".vbs" or FileName endswith ".bat"
| where FolderPath contains "\\AppData\\Roaming\\"

jsc.exe being used to compile and execute PE files

 

DeviceProcessEvents
| where InitiatingProcessParentFileName endswith ".pif"
| where InitiatingProcessFileName == "jsc.exe"

Initial download of RedLine malware

 

DeviceFileEvents
| where FileName endswith ".iso"
| where FolderPath contains "Recycle.Bin"

Localhost ping before further action is done

 

DeviceProcessEvents
| where ProcessCommandLine contains "ping -n 5"