GLITCH
  • Who Am I ?
  • WRITEUPS
    • CyberDefenders Labs
      • PhishStrike Write-up
      • OpenWire Write-up
      • BlueSky Ransomware Write-up
      • PsExec Hunt Write-up
      • Red Stealer Write-up
      • Amadey Write-up
      • GrabThePhisher Write-up
      • BlackEnergy Write-up
  • SUMMARIEs
    • Phishing
    • Kerberos_AD
    • Bug Hunting
    • MITRE
  • OSEP
  • GLITCH HUB
    • Books
    • Courses
      • Youtube
    • Githubs
    • Tools
    • Bookmarks
  • Projects
    • Youtube Downloader
  • Malware Analysis
    • SOON!
Powered by GitBook
On this page
  • :الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد
  • Scenario:
  • Tools:
  • Questions:
  • 1. Categorizing malware allows for a quicker and easier understanding of the malware, aiding in understanding its distinct behaviors and attack vectors. What’s the identified malware’s category?
  • 2. Clear identification of the malware file name facilitates better communication among the SOC team. What’s the file name associated with this malware?
  • 3. Knowing the exact time the malware was first seen can help prioritize actions. If the malware is newly detected, it may warrant more urgent containment and eradication efforts compared to older, well-known threats. Can you provide the UTC timestamp of first submission of this malware on VirusTotal?
  • 4. Understanding the techniques used by malware helps in strategic security planning. What is the MITRE ATT&CK technique ID for the malware’s data collection from the system before exfiltration?
  • 5. Following execution, what domain name resolution is performed by the malware?
  • 6. Once the malicious IP addresses are identified, network security devices such as firewalls can be configured to block traffic to and from these addresses. Can you provide the IP address and destination port the malware communicates with?
  • 7. YARA rules are designed to identify specific malware patterns and behaviors. What’s the name of the YARA rule created by “Varp0s” that detects the identified malware?
  • 8. Understanding which malware families are targeting the organization helps in strategic security planning for the future and prioritizing resources based on the threat. Can you provide the different malware alias associated with the malicious IP address?
  • 9. By identifying the malware’s imported DLLs, we can configure security tools to monitor for the loading or unusual usage of these specific DLLs. Can you provide the DLL utilized by the malware for privilege escalation?
  • You Can Find me Here!
  1. WRITEUPS
  2. CyberDefenders Labs

Red Stealer Write-up

PreviousPsExec Hunt Write-upNextAmadey Write-up

Last updated 6 months ago

:الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد

Scenario:

You are part of the Threat Intelligence team in the SOC (Security Operations Center). An executable file has been discovered on a colleague’s computer, and it’s suspected to be linked to a Command and Control (C2) server, indicating a potential malware infection.

Your task is to investigate this executable by analyzing its hash. The goal is to gather and analyze data that is beneficial to other SOC members, including the Incident Response team, in order to efficiently respond to this suspicious behavior.

Tools:

  • Whois

  • VirusTotal

  • MalwareBazaar

  • ThreatFox

Link:

Medium:

Questions:

1. Categorizing malware allows for a quicker and easier understanding of the malware, aiding in understanding its distinct behaviors and attack vectors. What’s the identified malware’s category?

Answer: trojan

2. Clear identification of the malware file name facilitates better communication among the SOC team. What’s the file name associated with this malware?

Answer: Wextract

3. Knowing the exact time the malware was first seen can help prioritize actions. If the malware is newly detected, it may warrant more urgent containment and eradication efforts compared to older, well-known threats. Can you provide the UTC timestamp of first submission of this malware on VirusTotal?

Answer: 2023–10–06 04:41:50 UTC

4. Understanding the techniques used by malware helps in strategic security planning. What is the MITRE ATT&CK technique ID for the malware’s data collection from the system before exfiltration?

Answer: T1005

5. Following execution, what domain name resolution is performed by the malware?

6. Once the malicious IP addresses are identified, network security devices such as firewalls can be configured to block traffic to and from these addresses. Can you provide the IP address and destination port the malware communicates with?

Answer: 77.91.124.55:19071

7. YARA rules are designed to identify specific malware patterns and behaviors. What’s the name of the YARA rule created by “Varp0s” that detects the identified malware?

Answer: detect_Redline_Stealer

8. Understanding which malware families are targeting the organization helps in strategic security planning for the future and prioritizing resources based on the threat. Can you provide the different malware alias associated with the malicious IP address?

Answer: RECORDSTEALER

9. By identifying the malware’s imported DLLs, we can configure security tools to monitor for the loading or unusual usage of these specific DLLs. Can you provide the DLL utilized by the malware for privilege escalation?

Answer: advapi32.dll

You Can Find me Here!

Answer:

Blog:

Linkedin:

Facebook:

Tryhackme:

https://cyberdefenders.org/blueteam-ctf-challenges/red-stealer/
https://medium.com/@GLITCHGC/scenario-fe4d0ba880c5
facebook.com
https://g1it0h.gitbook.io/glitch/
https://www.linkedin.com/in/glitchgc/
https://www.facebook.com/GLITC.GC/
https://tryhackme.com/p/GLITCH1GC