New Video from @collinsinfosec: Analyzing the Redline Info-Stealer

In this video, CollinsInfosec delves into the world of info-stealers, malicious software designed to steal sensitive information. The analysis focuses on Redline, a prolific info-stealer that was neutralized during Operation Magnus last October. The goal is to understand the main features of Redline and replicate them in a future video. To begin, Collins uses an isolated virtual machine with Flare VM, equipped with various malware analysis tools such as Microsoft's Journal Suite, PE Studio, and Cutter. He downloads a sample of Redline from Malware Bazaar, a platform where security researchers can share malware samples. The sample is an executable file (.exe) that was identified by 64 out of 72 antivirus engines on VirusTotal, confirming its malicious nature. The analysis starts with the use of PE Studio to extract information about the sample. Collins checks if the malware is "packed" (compressed or encrypted) by comparing the raw and virtual sizes in the file sections. He finds that the sizes are similar, indicating that the malware is likely not packed. By examining the strings in the file, Collins identifies potential commands for communicating with a command and control (C2) server, as well as information-stealing features such as collecting IP addresses, task IDs, browser profiles, and usernames. He also notes capabilities for screenshot capture and scanning various applications like Discord and Telegram. To deepen the analysis, Collins uses DNspy, a decompilation tool for .NET files. He discovers that the malware uses encryption mechanisms with bcrypt and specifically targets browser extensions related to cryptocurrency wallets. By examining the program's functions, he finds details about targeted session cookies and browser extensions. Next, Collins performs a dynamic analysis by running the Redline sample to observe its behavior. He notes that the malware disables Windows Defender's real-time monitoring by modifying a registry value, which is a defense evasion technique. He also observes that the conhost.exe process is launched as a child process, indicating malicious activity. In conclusion, Collins successfully extracted the main features of Redline through static and dynamic analysis. He plans to create a small proof-of-concept (POC) info-stealer in the next video in the series, using the knowledge gained from this analysis. For more information, watch the full video here: https://www.youtube.com/watch?v=3DMG_FL_VJo