Day 16: Hunting for Redline Stealer Archives with Adobe AfterFX

For todays yara rule I took a look at a archive themed as Notepad++ that was used to deliver Redline Stealer via Malvertizing:

https://infosec.exchange/@rmceoin/109763719160050309

While taking a look at the samples mentioned in that post I noticed that they all a DLL signed by Adobe related to Adobe After Effects:

AfterFXLib.dll

This file is likely being included for detection evasion purposes.

Yara Rule

Here is the Yara rule that I created for detecting zip and rar archives with this file mentioned!

rule sus_archive_afterfx {
    meta:
  	    author = "Colin Cowie"
        description = "Detects archives with the dll named AfterFX or AfterFXLib"
        references = "https://infosec.exchange/@rmceoin/109763719160050309"
  strings:
        $rar_header = { 52 61 72 21 1A 07 00 }
        $afterfx = {41 66 74 65 72 46 58 [0-3] 2e 64 6c 6c} // This checks for AfterFX[0-3].dll
    condition:
        (uint32(0) == 0x04034b50 or $rar_header at 0 ) // check for zip or rar
        and $afterfx
}

Results

While retrohunting with this rule I found 33 malicious archives that are consistent with what was shared on Mastodon with RedLine stealer.

File Name,ZipModifyDate,hash
GalaxyV28.612.51.zip,2023:01:28 19:06:50,2806ce1e618dfa91058ff4aa47a15183083e6a52036c148a6489578d2d651115
npp.28.7123.24Installer.x64.zip,2023:01:28 22:29:26,0933e3a86413231f04be32887aec2fd1914d300b36ac74939ad5a4c5296a06c9
rufus-27.11.1321.zip,2023:01:27 03:39:20,dafbbc207847f7b597da8dc79c4eb4982419a05ce9457e3d8a77f3f50c22a5fb
OnionBrowserV28.421.721.zip,2023:01:28 19:02:34,ba4d696245f2b93d0ca66552ea16a647fa4082216eda36f92a30e025677e023f
rufus-28.412.213.zip,2023:01:27 22:51:52,5475f4b3dbf9d51b352af2d6dac9a5fa91c91f802cbcf6187394e7f5f86fee69
npp.28.442421Installer.x64.zip,2023:01:27 23:08:40,d50fc1d9f2129df6501af6569d6bdb0d2a95ad603741db01232c8c49ce87979a
npp.28.421.421Installer.x64.zip,2023:01:27 22:57:28,663055bf562411320eb3a890a34d20622010b9414e46af4f5b501e7d13a87ba2
OnionBrowserV28.311.432.zip,2023:01:27 23:21:28,073cee23fa121a8a1ecdd4723c9cb0507a7a48c0ce826d655bfb51cd827894dc
OnionBrowserV28.135.442.zip,2023:01:27 23:28:40,79c693370d9ab87fdf9d6334c8b2bbecf4068e38e917323cd24788811cc839f1
OnionBrowserV27.634.1123.zip,2023:01:27 01:43:16,fd9d1ba10310505f30b8f3736600c1ff249feddd8357783e270eb632f4e712b6
OnionBrowserV27.341.421.zip,2023:01:27 15:40:04,c60e3a991a9ce129d4f190958fafc29ebbf763eef5b93a2ae9f764eed8af4a8b
OnionBrowserV27.321.4212.zip,2023:01:27 02:11:26,ac0cc64d1b6b1c256f9866f34db48013cb3a3884da1cc40ff4f6bf268edb9f60
npp.27.62.131Installer.x64.zip,2023:01:27 13:45:34,0b24b4ed9492d1c644bda5ccb0a12930bd8807958e7d607ed298e9140f14ebbc
npp.27.34.112Installer.x64.zip,2023:01:27 02:26:42,5db917a03eb11f0ec18d3fc05fccd171c78ee7dc0277b62935b45ba4d030f3d9
npp.27.31.21Installer.x64.zip,2023:01:27 01:53:12,f4c9c34a2486d236d859652502ce561b7d689f06cc710e31bab28eeceb74e5e2
npp.27.31.12Installer.x64.zip,2023:01:27 02:23:54,9ca39bf0ba61b7adcce6fec8a3a19fdb7ecde7e689f8ef287ecff95f4c582d3b
GalaxyV27.13.22.zip,2023:01:27 02:02:16,f451b2aef5a31b7d903f6210ec8044d43aa08fd54882422b783c703484198552
rufus-28.441.231.zip,2023:01:27 23:01:02,2d31b06e1b85155fa340fec6cb98b42fefd44bbf619833e0c2cefa9c13f4559f
rufus-27.421.5123.zip,2023:01:27 13:42:06,39eb620816ba92ddeadda516aaa8357eff068e5aac09c737bdcca987d9eee8a2
rufus-27.15.121.zip,2023:01:27 01:26:48,aec325b3a6c9e89f1ce96e8d3e7fe98367966bb161cb108a7185f2c1428943fe
rufus-26.133.zip,2023:01:26 15:57:04,592b4d7e6e58f348e5bf36b2ab4864750573593ada70dcc6783cdf0c25ac3b80
rrufus.zip,2023:01:24 15:37:42,8d90d6e103e06bcec0ccfe285b8c17b7f9ad9e1bae4308c4c8e88a6dc49f1ae4
GalaxyV26.13.22.zip,2023:01:25 23:50:24,d8a51d8649da0ccbd4d32737b90d72e8b8b477445fed78668429b5d5a43e1d6d
npp.25.23.42Installer.x64.zip,2023:01:25 22:50:04,d51a5153094513cbe9d3a24943ff2cbffa6fd0b03ef0f638f68d73ba91ed1b34
rufus-26.12.13.zip,2023:01:26 00:11:44,5fd52c9f80c36017d9eb00518db945e4ff7aa7f14b6f5133323e455ee72ed226
Unconfirmed 396280.crdownload,2023:01:25 11:33:50,6197eb06b75b66894fa39dc7990bec9e5beed66adcf9d9aeb74d8b524f331499
npp.8.1.8.Installer.x64.zip,2023:01:24 15:37:42,dbd1b8966d73577f0cd2e60e28da70e01f51191a1b06973a8b4256a84eabe2ad
GalaxyV25.11.12.zip,2023:01:24 15:10:52,31e1d8d10aceaf477355c3ed97977d93c5e4947e5378eebcaf8d1f2ed0f950ea
GalaxyV23.11.12.zip,2023:01:23 16:03:00,55f6c6d9e5a65a6ef938f95b7300cdca8ddf1984c01837161e0408f357597ecf
OnionBrowserV22.14.12.zip,2021:10:08 19:35:34,ac8d5fadf823361eadf88179b8203407ba8a2a2db189f329527acfe0fcb16d72
GalaxyV21.15.17.zip,2023:01:21 16:08:22,38c584bb75e01969a44c13c66ba39d9de291f8f7a7c43909c1a0412046e7690b
OnionBrowserV22.21.17.zip,2023:01:22 23:04:08,78709f157409b81211553a72367f684fef51c123beb2bd1a45d818a6d628ee59
/forhost1232/lastpassinstaller/-/raw/main/LastPassInstaller.zip,2023:01:12 17:46:28,24aef3e3252f9f2d95b5d384962b3e1301eab0e7ef8cf7f62d0366a4aabd22e6
GalaxyV18.32.21.zip,2022:12:31 15:07:14,7e81594478d146175d3ca7e2c30110096bfb7086c56efbeb4db75eae42fa2483

References

https://infosec.exchange/@rmceoin/109763719160050309
https://yara.readthedocs.io/en/stable/writingrules.html

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

016.md

016.md

Day 16: Hunting for Redline Stealer Archives with Adobe AfterFX

Yara Rule

Results

References

Files

016.md

Latest commit

History

016.md

File metadata and controls

Day 16: Hunting for Redline Stealer Archives with Adobe AfterFX

Yara Rule

Results

References