Red Stealer Lab
CyberDefenders Threat Intel Lab
Scenario
You are part of the Threat Intelligence team in the SOC (Security Operations Center). An executable file has been discovered on a colleague’s computer, and it’s suspected to be linked to a Command and Control (C2) server, indicating a potential malware infection. Your task is to investigate this executable by analyzing its hash. The goal is to gather and analyze data beneficial to other SOC members, including the Incident Response team, to respond to this suspicious behavior efficiently.
Question 1
Categorizing malware enables a quicker and clearer understanding of its unique behaviors and attack vectors. What category has Microsoft identified for that malware in VirusTotal?
Answer 1
This looks to be a very common strain of info stealer malware called Redline Stealer. Microsoft is categorizing it as a Trojan.
Question 2
Clearly identifying the name of the malware file improves communication among the SOC team. What is the file name associated with this malware?
Answer 2
The original file name is listed under the details tab in VirusTotal. Giving me the answer, WEXTRACT.
Question 3
Knowing the exact timestamp of when the malware was first observed can help prioritize response actions. Newly detected malware may require urgent containment and eradication compared to older, well-documented threats. What is the UTC timestamp of the malware’s first submission to VirusTotal?
Answer 3
This strain was first submitted on: 2023–10–06 04:41.
Question 4
Understanding the techniques used by malware helps in strategic security planning. What is the MITRE ATT&CK technique ID for the malware’s data collection from the system before exfiltration?
Answer 4
Press enter or click to view image in full size
The malware uses the technique ID: T1005 for data collection. Searching for sensitive data in web browsers. Such as stored passwords.
Question 5
Following execution, which social media-related domain names did the malware resolve via DNS queries?
Answer 5
Looking through the HTTP requests that are sent out by the malware, it sends a GET request to Facebook.com.
Question 6
Once the malicious IP addresses are identified, network security devices such as firewalls can be configured to block traffic to and from these addresses. Can you provide the IP address and destination port the malware communicates with?
Answer 6
The IP traffic section on VirusTotal gives a clear indication it tries to call back to the IP address 77.91.124.55 via port 19071.
Question 7
YARA rules are designed to identify specific malware patterns and behaviors. Using MalwareBazaar, what’s the name of the YARA rule created by “Varp0s” that detects the identified malware?
Answer 7
Question 8
Understanding which malware families are targeting the organization helps in strategic security planning for the future and prioritizing resources based on the threat. Can you provide the different malware alias associated with the malicious IP address according to ThreatFox?
Answer 8
Using the search query syntax: 77.91.124.55, I found this result. Giving the Redline Stealer a different alias, RECORDSTEALER.
Question 9
By identifying the malware’s imported DLLs, we can configure security tools to monitor for the loading or unusual usage of these specific DLLs. Can you provide the DLL utilized by the malware for privilege escalation?
Answer 9
AVDAPI32.dll can and is used by Redline stealer to escalate its own privileges within a system.
Last updated