Unpack RedLine stealer using dnSpyEx – Part 3

About the Newsletter

Join 100+ subscribers who get 0x1 actionable security bit every week.

In this article, we dive into process of unpacking and extracting config from RedLine Stealer using dnSpyEx. It’s a bit lengthy but a great way to learn about the unpacking process using dnSpyEx.

🔍 This is the 3rd part in our deep dive series on RedLine.

If you need a refresher on the infection chain, check out Part 1 –🔍 Dive into the RedLine Stealer Infection Chain – Part 1. And if you’re interested in using the pe-sieve tool, explore Part 2 – Unpack RedLine stealer to extract config using pe-sieve -Part 2.

To follow along, download the file line.exe from MalwareBazaar.

Using dnSpyEx for Manual Debugging - RedLine Stealer

Let’s embark on the unpacking journey with dnSpyEx:

1. Loading line.exe into dnSpyEx

Load line.exe to dnSpyEx and navigate to the EP you will see MainWindow.NON()

This section contains critical code snippets, including

Activator.CreateInstance is use to execute the 2nd stage dll dynamically.

Activator.CreateInstanceCreate instances of types dynamically during runtime. It is commonly used with reflection to instantiate types during runtime.

 2. Loads & execute the 2nd Stage dll (HiTechDistribution.dll)

It loads assembly using AppDomain.CurrentDomain.Load(), then, it fetches all the public (exported) types from that assembly using GetExportedTypes()& returns the first one.

PantosTExBwBQpyLp function decrypt this embedded resource (Resources.HiTechDistribution) using hard-coded key.

In summary, it loads and execute the .NET assembly (2nd Stage) using Activator.CreateInstance after decrypting the resources embedded in line.exe.

Now let’s analyse the 2nd Stage dll.

3. Analyze & Debug the 2nd Stage DLL

Let’s set a bp in line.exe at return exportedTypes[0];, to analyze the loaded assembly in memory.

Navigate to Debug -> Windows -> Modules. You can see the new module HiTechDistribution.

Let’s open the module, then go to Analayzer method & set a bp at Program.Main()

4. Persistency using Startup folder

Let’s continue debugging, & our goal for analysis is to dump Happy.exe (unpacked malware) manually to extract config.

First function which start with class name FormGestionApp* is empty.
2nd function(rBB*) decrypt the strings, then execute PowerShell to copy line.exe to the Startup folder with the name “anydesk.exe.exe”.

2nd function(rBB*) decrypt the strings, then execute PowerShell to copy line.exe to the Startup folder with the name “anydesk.exe.exe”.

Note: The Call Stack window in dnSpyEx is quite useful for seeing how the code jumps from one module to another.

In this case it jumps from line.exe -> HiTechDistribution.dll (2nd stage dll) -> 2.7.dll – Injector (3rd stage dll).

Call stack for RedLine
5. Load and dump 3rd stage dll (2.7.dll)

At line 19, it loads another injector named as (2.7), which is shown below in Modules section in dnSpyEx.

It uses the Invoke method with two parameters as mentioned below:

  1. InstallUtil.exe path
  2. Assembly to inject (unpacked Happy.exe)

This HumanTrace function based on the the flag it inject into itself  or InstallUtil.exe . For this execution, it return the complete path for InstallUtil.exe as shown below.

6. Extracting the Unpacked Malware

Then Step Into Invoke function, you will see two parameter and final unpacked payload Happy.exe is present in the 2nd parameter as shown below.
Right-click and save the unpacked payload to disk.

7. Extract RedLine config using dnSpyEx

Open this Happy.exe in dnSpyEx. Go to the assembly , right click then select “Go to Entry Point”.
Click on the IP text, it will show you the config class EntryPoint. In this sample, there is no XOR key used, so the C&C in plain text.

4. Config Redline stealer

Unpacking RedLine Stealer using dnSpyEx is a meticulous yet rewarding process that offers invaluable insights into malware analysis and detection.

Thanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.

For more updates and exclusive content, subscribe to our newsletter. Happy Reversing! 😊

Join 100+ subscribers who get 0x1 actionable security bit every week.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Related Posts