Red Stealer Lab | CyberDefenders Writeup
Solvenite
Scenario:
You are part of the Threat Intelligence team in the SOC (Security Operations Center). An executable file has been discovered on a colleague's computer, and it's suspected to be linked to a Command and Control (C2) server, indicating a potential malware infection.
Your task is to investigate this executable by analyzing its hash. The goal is to gather and analyze data beneficial to other SOC members, including the Incident Response team, to respond to this suspicious behavior efficiently.
Link to Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/red-stealer/
Q1: Categorizing malware enables a quicker and clearer understanding of its unique behaviors and attack vectors. What category has Microsoft identified for that malware in VirusTotal?
Answer: Trojan
Q2: Clearly identifying the name of the malware file improves communication among the SOC team. What is the file name associated with this malware?
Answer: Wextract
Q3: Knowing the exact timestamp of when the malware was first observed can help prioritize response actions. Newly detected malware may require urgent containment and eradication compared to older, well-documented threats. What is the UTC timestamp of the malware's first submission to VirusTotal?
Answer: 2023–10–06 04:41:50 UTC
Q4: Understanding the techniques used by malware helps in strategic security planning. What is the MITRE ATT&CK technique ID for the malware's data collection from the system before exfiltration?
Answer: T1005
Q5: Following execution, which social media-related domain names did the malware resolve via DNS queries?
Answer: Facebook.com
Q6: Once the malicious IP addresses are identified, network security devices such as firewalls can be configured to block traffic to and from these addresses. Can you provide the IP address and destination port the malware communicates with?
Answer: 77.91.124.55:19071
Q7: YARA rules are designed to identify specific malware patterns and behaviors. What's the name of the YARA rule created by "Varp0s" that detects the identified malware?
Search for the SHA-256 hash on MalwareBazaar and located the YARA signature in the YARA Signatures section.
Answer: detect_Redline_Stealer
Q8:Understanding which malware families are targeting the organization helps in strategic security planning for the future and prioritizing resources based on the threat. Can you provide the different malware alias associated with the malicious IP address according to ThreatFox?
Use ThreatFox and search for ioc:77.91.124.55 and then find the section labeled Malware Alias
Answer: RECORDSTEALER
Q9: By identifying the malware's imported DLLs, we can configure security tools to monitor for the loading or unusual usage of these specific DLLs. Can you provide the DLL utilized by the malware for privilege escalation?
This one’s a bit trickier and needs a little reading to get the answer. Go back to VirusTotal, examine the Runtime Modules section under the Behavior tab, and identify the DLLs. Look at each and every one of them to determine which was commonly used for privilege escalation
Answer: ADVAPI32.dll
Subscribe to my newsletter
Read articles from Solvenite directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by