RedLine Stealer/AutoIT Malware Analysis

RedLine Stealer/AutoIT Malware Analysis

- 6 mins

After a recent analysis of multiple files grabbed from a device, this appears to be a new strain of the AutoIT Malware campaign that includes RedLine Stealer.
This malware uses AutoIT as a wrapper to deliver malware and attempts to hide its tracks with obfuscation, anti-analysis, and fileless techniques.

The user was attempting to install Grammarly and downloaded an .iso file from a malicious website. The file was then mounted to the D:\ drive and the executable was run shortly after.

The malware was able to evade detection by dropping multiple obfuscated and encrypted temporary scripts that were then run by an AutoIT executable.
The RedLine Stealer part of the malware can attempt to grab browser data, files from desktop, Crypto wallets, FTP clients, user info, screenshots, and more. It also attempted to achieve persistence by adding local admin accounts and installing RDPWrapper and adding firewall rules to allow incoming traffic on port 3389.  

I was unable to analyze what exactly was sent in the packets to the C2 server, but event logs show that it was likely saved browser data/passwords and device information.  

Sources used in this write-up:

Details

User downloaded “grammarly79784.iso

GRAMMARLY79784.EXE” was executed from D:\

Executable Prefetch file shows that five files were created in folder C:\Users\User\AppData\Local\Temp\IXP000.TMP\

Prefetch

Confusa.exe.pif is executed from folder \Local\Temp\IXP000.TMP

Confusa.exe.pif activities

ezcvajcfbrmcw.vbs (Also ran as an identical batch file)

batch code

iRPKSGnUNGgrgb.vbs

vbs command line

This appears to communicate with the C2 server, initially sending the unique bot ID.

oqelmujegltwrbm.vbs

GYCxEPARiqVWSkIs.vbs

IOC’s

365 Defender KQL Queries

URL’s

DeviceNetworkEvents
| where RemoteUrl contains "tw0chinz" or RemoteUrl contains "nice-quiz" 
or RemoteUrl contains "ifunteck" or RemoteUrl contains "Hyphnhostn" 
or RemoteUrl contains "trk.record-certainly-numeral-draw" 
or RemoteUrl contains "schemicalc" or RemoteUrl contains "bishoppeda"

Hashes

DeviceFileEvents
| where SHA256 has_any ("563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14",
"7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512",
"d0808b62e5c840b879d4ae0aabf78878271ee724bfcf58001032c295ec69cd4d",
"b8a717e36a89ebd6384e5f56b2691c34c1fedf08f9911b5e4c3f127f70edfb62",
"dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00",
"c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928",
"f75cbd2fc596ba51eb485947f7a24a139b5545ec3ebe16e96b89fe38440bb974",
"049e86e6c3f73cdf6147075a2eab50c009874ea9b0b174a150add6fb73c1d9b4",
"3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0",
"e970530af9bbf865f4c7de8d113e522f5f32afd5c84f378d15bf073810507599",
"ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753",
"8cb90c182c28aec4d54cc122dcad3dfc70bad73fb7a3e28e2640f558407bf8f6",
"798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4",
"52efaf93011bb26252948ae7baa2c180d21b9e8d1b9f9f67431aa782e4ba035b",
"d113d314895748bf9d1a8926ea6fa4f734b604ebb69cd04a624179c35ff88eaa",
"90a410437c4523cb14f348c3dcdb8256b3dfa1e6ac524be2793fdcab64258b11",
"3cea6eaf23e94e38d790a9ccf43e490f8ad3da3eb920e3a967d18947905b60b7",
"b5665cb53721f0039c34e05f88f259e64a224027cf6be34f3ac13082ab8a0663",
"e868aba6d185c35ac1ca083c53cfc3a1259731eca319bb4a487b358d620e190a",
"a8108a5add857c8d3d6e8b1f4a55a1243f6d728dd8904b29e0622ea8df3f60a6",
"f75b7f5ac63dac86514ef42e1644b5450524fee4291c520364814bcc951814ba")

.pif File IOC

DeviceFileEvents
| where FileName endswith ".exe.pif"

Common temp folder used

DeviceFileEvents
| where FileName endswith ".vsd"
| where FolderPath contains "\\AppData\\Local\\Temp\\IXP000.TMP\\"

Initial exploit IOC

DeviceProcessEvents
| where ProcessCommandLine contains "findstr  /V /R"

Common folder used for scripts

DeviceFileEvents
| where FileName endswith ".vbs" or FileName endswith ".bat"
| where FolderPath contains "\\AppData\\Roaming\\"

jsc.exe being used to compile and execute PE files

DeviceProcessEvents
| where InitiatingProcessParentFileName endswith ".pif"
| where InitiatingProcessFileName == "jsc.exe"

Initial download of RedLine malware

DeviceFileEvents
| where FileName endswith ".iso"
| where FolderPath contains "Recycle.Bin"

Localhost ping before further action is done

DeviceProcessEvents
| where ProcessCommandLine contains "ping -n 5"
Noah Clements (genoff)

Noah Clements (genoff)

hacker of things