{ Security-in-bits }

Unpack RedLine stealer to extract config using pe-sieve -Part 2

.NET, dnSpyEx, Infostealer, Malware Series, pe-sieve, ProcMon, RedLine
Ayush Anand
About the Newsletter

Join 100+ subscribers who get 0x1 actionable security bit every week.

shieldSubscribe

RedLine Stealer config extraction using two ways:

    1. Fast & Easy Method: Use the awesome pe-sieve tool from @hasherezade, which dumps unpacked file from memory. Then,  extract the config from dumped file.
    2. Using dnSpyEx for manual debugging. It’s a bit lengthy but a great way to learn about the unpacking process. We will cover this in our next article in this series. Signup for our newsletter 👆to receive exclusive notification about upcoming articles.

This is the 2nd part of the deep dive into the RedLine, if you want to refresh about the RedLine Stealer infection chain, check out our previous article 🔍 Dive into the RedLine Stealer Infection Chain – Part 1 .

If you’d like to follow along, start by downloading this file line.exe from MalwareBazaar.

Fast & Easy Method: Using pe-sieve

One efficient way to extract the configuration of RedLine Stealer is by leveraging the powerful pe-sieve tool.This tool excels in dumping unpacked files from memory, simplifying the extraction process.

Follow these steps to extract the config:

1. Monitor the malware using ProcMon & Process hacker

Use ProcMon Sysinternal tool to monitor the execution of line.exe. You’ll see a process tree like this.

RedLine Stealer Infection chain process tree

After a few seconds, PowerShell will exit, and you’ll see a new process, InstallUtil.exe, with a child process, conhost.exe. The malicious code is injected inside InstallUtil process

1. Process hacker process tree
1. Process hacker process tree
2. Dump the code using pe-sieve

Let’s use pe-sieve to dump the unpacked code.

  • Get the process id of InstallUtil.exe (e.g. 8284)
  • Execute this cmd pe-sieve /pid 8284 to dump the unpacked code from this InstallUtil.exe process.
Unapck using pe-sieve
2. Dump using pe-sieve

Open this 400000.InstallUtil.exe in your favourite tool, I am using Die which is already installed in my Flare-VM. As you can see its 32 bit .NET file.

RedLine Stealer Die screenshot
Die screenshot
3. Extract config using dnSpyEx

Open the dumped 400000.InstallUtil.exe from pe-sieve in dnSpyEx. Go to the assembly , right click then select “Go to Entry Point”.

Click on the IP text, it will show you the config class EntryPoint. In this sample, there is no XOR key used, so the C&C in plain text.

3. Load the file in dnSpyEx
3. Load the file in dnSpyEx

Now we have extracted the RedLine Stealer config.

4. Config Redline stealer
4. Config Redline stealer

For those seeking a deeper understanding of the unpacking process, manual debugging using dnSpyEx provides invaluable insights. I am excited for next article as it will cover unpacking in details.

Stay tuned for our next article in this series, where we will explore this technique in detail.

Thanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.

For more updates and exclusive content, subscribe to our newsletter. Happy Reversing! 😊

Join 100+ subscribers who get 0x1 actionable security bit every week.




Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Related Posts

keyboard_arrow_up
This website uses cookies to improve your experience. If you continue to use this site, you agree with it.