RedLine Infection Chain Step 1

🔍 Dive into the RedLine Stealer Infection Chain – Part 1

turned_in_notCyberChef, Infostealer, LNK, Malware Series, mshta, PowerShell, RedLine, VBScript
RedLine Stealer Infection Chain: Zip ➡️ LNK PS ➡️ mshta (URL1) ➡️ PS ➡️ cmd ➡️ PS ➡️ URL2 ➡️ exe What’s Inside: LNK using \W*\\2\\msh*e to dodge detection VBScript analysis using CyberChef & Wscript.Echo Utilize CyberChef recipe to decode VBScript & PowerShell How to deobfuscate PowerShell with PowerShell logging…
Read More
Stage 2 PowerShell deobfuscated

Deobfuscate PowerShell using subtract – CyberChef Recipe 0x4

turned_in_notCyberChef, CyberChef Recipe, Infostealer, PowerShell, RedLine
In this quick blog post, we’ll explore the various combination of CyberChef operations e.g Generic code Beautify, Subsection, Fork, Subtract etc. to deobfuscate the second-stage PowerShell script used in the RedLine stealer infection chain. The PowerShell contain multiple array consist of integer. It employs a straightforward function to decode the…
Read More
Same UUID key

Similarity between Qealler/Pyrogenic variants -Part 0x3

turned_in_notBytecode Viewer, Infostealer, Java, Pyrogenic, Qealler
In this last part, we will compare Old Qealler with the new Qealler/Pyrogenic variant. The previous posts Pyrogenic Infostealer static analysis – Part 0x1 & Unpacking Pyrogenic/Qealler using Java agent -Part 0x2  went through the latest Pyrogenic/Qealler [6] statically and dumping the unpacked code using Java agent. CONTENTS Brief Timeline…
Read More