RedLine Stealer: Answers to Unit 42 Wireshark Quiz

Unit 42 provides the answers and deeper analysis for its July 2023 Wireshark quiz on a RedLine Stealer infection, detailing victim details, web traffic, and data exfiltration in a Windows AD environment. The post also lists indicators of compromise and maps observed behavior to MITRE techniques. #RedLineStealer #Unit42

Keypoints

The Wireshark quiz covers a RedLine Stealer infection in a July 2023 pcap and analyzes how it exfiltrates data from a Windows host.
The infected host is identified as 10.7.10.47 with MAC 80:86:5b:ab:1e:c4 and hostname DESKTOP-9PEA63H; user account is rwalters.
NBNS traffic is used to determine the victim’s hostname, and Kerberos data confirms the Windows user account name.
Unencrypted HTTP GET requests show PowerShell-generated traffic to endpoints such as 623start.site and guiatelefonos.com.
The malware communicates with a C2 server at 194.26.135.119:12432 over TCP and exfiltrates data (including a desktop screenshot) via the C2 channel.
The exfiltrated data includes browser credentials (Edge, Chrome, etc.), cryptocurrency wallet data, API keys, and a PowerShell script used to initiate the infection.

MITRE Techniques

[T1059.001] PowerShell – Windows PowerShell is used to generate traffic; “the User-Agent line in the HTTP request headers indicate this traffic was issued through Windows PowerShell.”
[T1113] Screen Capture – Data exfiltration includes a screenshot of the victim’s desktop; “Data from the RedLine C2 server is viewing data sent from the victim’s user profile” (Figure 13 shows a desktop screenshot).
[T1016.001] System Network Configuration Discovery – NBNS traffic reveals the victim’s hostname; “Determine the victim’s hostname by filtering on NetBIOS Name Service (NBNS) traffic.”
[T1087.001] Account Discovery – Kerberos traffic confirms the Windows user account name; “CNameString to find the Windows user account name.”
[T1041] Exfiltration Over C2 Channel – The RedLine Stealer uses a C2 channel to request and transfer data from the infected host; “Data from the RedLine C2 server is requesting various types of user information from the victim’s host.”
[T1555.003] Credentials in Web Browsers – The malware collects login credentials from web browsers, including Edge; “login credentials from the Microsoft Edge browser.”
[T1057] Process Discovery – The running processes include powershell.exe, indicating process discovery activity; “The running process list… powershell.exe running a file…”

Indicators of Compromise

[URL] 623start.site – Unencrypted HTTP GET requests used during infection start and install checks; examples: hxxp://623start[.]site/?status=start&av= and hxxp://623start[.]site/?status=install
[URL] guiatelefonos.com – Data exfiltration URL; examples: hxxp://guiatelefonos[.]com/data/czx.jpg and hxxps://guiatelefonos[.]com/data/czx.jpg
[IP] 194.26.135.119 – Command and control server address used for the RedLine Stealer C2 channel (tcp://194.26.135[.]119:12432/).
[Domain] tempuri.org – Placeholder URI domain referenced in the C2 traffic (temporary URI).
[File hash] f754d7674a3a74969cccb7d834c99b72b9f79c29dc8d0e9c15854a6bfb1a9c97 – SHA-256 hash for a RedLine Stealer component; associated with the infection.
[File hash] 3c42b93801f02696487de64bb623f81cf7baf73a379a46e1459ca19ae7dc2454 – SHA-256 hash for the Windows executable binary; associated with the infection.
[File name] SECT_v4.ps1 – PowerShell script used to kick off the RedLine Stealer infection.
[File name] Top_secret_ducment.docx – Word document exfiltrated from the infected host.
[Process] powershell.exe – Observed in the running processes during the infection (e.g., “powershell.exe running a file”).