Discover and read the best of Twitter Threads about #redlinestealer

Most recents (1)

Malware Analysis Tip - Use Process Hacker to watch for suspicious .NET assemblies in newly spawned processes.

Combined with DnSpy - it's possible to locate and extract malicious payloads without needing to manually de-obfuscate.

1/

#Malware #dnspy #analysis #RE
2/ For anyone wanting to try - The initial sample can be in the link below

Once executed (inside of a safe vm!) - You should see the installutil.exe detailed in the screenshots above.

(Make sure to use Dnspy-x86 for attaching to the process) šŸ˜„

bazaar.abuse.ch/sample/b24c75dā€¦
3/ Sometimes you'll get lucky and the modules will be named much more suspiciously.

See below for an example of a suspected #redlinestealer loader. Which injected multiple modules into a renamed powershell.exe.

bazaar.abuse.ch/sample/7e09174ā€¦
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!