“Streamlining Critical Analysis”

Executive Summary

In this post, we share information about how security professionals can take analysis shortcuts to quickly triage and analyze multiple malware samples. Within minutes, we can determine the malware families from a group of samples, parse the embedded configuration and extract the associated network indicators of compromise (IoCs).

For example, earlier this year we quickly responded to requests for information related to cyberattacks against Ukrainian targets that used commercial attack tools like Quasar RAT. From a single sample that one of our industry partners shared, we pivoted to a Bitbucket repository that contained 10 other samples belonging to the same threat actor.

Using malware configuration parsing at scale not only speeds up the analysis process but also reduces the need for manual reverse engineering of individual samples. Malware configuration extractors, available both commercially and in open-source projects, serve as exceptional tools for quickly obtaining answers when time is critical. Our results from Advanced WildFire’s Malware Configuration Extraction (MCE) system indicate this approach is extremely useful to efficiently analyze large volumes of malware.

Palo Alto Networks customers are better protected from the malware discussed in this article through our Network Security solutions and Cortex line of products, including Cortex XDR and XSIAM. Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Introduction

As malware analysts, we often find ourselves making tough choices related to time management. This is particularly true when protecting our customers in time-critical situations. Cybercriminals create an endless stream of malware with megabytes of irrelevant code and obfuscated payloads intentionally crafted to make our jobs harder and delay countermeasures.

Using MCE, we automated the extraction of configurations from multiple malware families to speed our analysis. These configurations consisted of various IoCs like command and control (C2) addresses, unique identifiers and attack parameters.

Discovering the Malware Repository

In early 2024, Unit 42 observed an increase in attackers using off-the-shelf software for malware against specific targets of interest. During one of these attacks, an industry partner provided us with information on one such malware example.

We analyzed and extracted the C2 server address used by this sample. Pivoting on this information revealed a Bitbucket repository hosting the second stage payloads. Further investigation revealed 10 additional samples hosted and deployed from the same repository.

At the time of the investigation, none of these samples were available on VirusTotal. Figure 1 shows a screenshot of the repository before it was taken offline.

A screenshot of the "Downloads" page on the GitHub repository for a project called "yener3". The webpage is displayed with a menu on the left side, showing options like 'Code', 'Issues', 'Pull requests', 'Actions', 'Projects', 'Wiki', 'Security', 'Insights', and 'Settings', highlighted on 'Downloads'. The main area shows a list of files available for download, including their names. The file sizes vary. The 'Download' button at the top right suggests users get API instructions for large uploads. The URL is visible in the browser's address bar.
Figure 1. Bitbucket repository of the second stage payloads.

To identify the malware samples and extract their IoCs, we submitted them to Advanced WildFire’s MCE.

Automated Analysis Doing the Heavy Lifting

Attempting to extract IoCs from individual samples would have been a challenging task due to the obfuscation present in all the samples. Figure 2 below depicts the obfuscated code of one of the samples, a Windows executable for Lumma Stealer.

Screenshot of a computer screen displaying various files in a software development environment, with a focus on source code written in C programming language. The interface shows a directory structure on the left and code editor on the right.
Figure 2. Obfuscated code of Lumma Stealer.

The samples not only have obfuscated code, but their configurations that contain the IoCs are also encrypted. For instance, in the case of Quasar RAT, its configurations are encrypted using AES and then encoded with Base64 as shown below in Figure 3.

The image displays multiple lines of coding and system notifications, highlighting issues such as "File must be between 10 and 25," "Access denied," and "Unable to write to file stream," indicating a software debugging or troubleshooting process.
Figure 3. Encoded configurations of Quasar RAT.

With a quick sandbox run that was able to detect and fully parse the configuration from memory, we were able to identify the families of all 10 malware samples and extract their configurations. This revealed the networking IoCs so that we could immediately protect our customers.

Figure 4 documents the initial step of IoCs extracted via the MCE, showing the relationship between the 10 samples recovered from the Bitbucket repository and their SHA256 hashes.

Screenshot of a Bitbucket repository webpage displaying a list of file downloads with their corresponding SHA256 hashes marked with multiple red arrows. The page header includes navigation menus and a search bar, with a clear focal point on documents. A text flow at the top reads Initial File and and then Calls to Bitbucket
Figure 4. Chart showing the relationship between the 10 Bitbucket samples and their SHA-256 hashes.

Configuration data extracted by the MCE reveals some patterns and shared attributes between the samples. Figure 5 shows domains and IP addresses used for C2 server by four samples we subsequently identified as Lumma Stealer. Two .pw C2 domains are shared by the top two examples in Figure 5, while all of them include C2 servers using various .pw domains.

Image displaying a diagram of Lumma Stealer malware samples and their related domains. The SHA hashes are on the left and point to the IP addresses.
Figure 5. Four Lumma Stealer malware samples.

The next two samples are Remcos RAT and Quasar RAT. These threats beacon to the same set of IP addresses for C2 servers, as shown below in Figure 6. Pivoting on that set of shared C2 servers, we discovered several other executables using the same IP addresses listed in Figure 6.

Flowchart of two malware samples, the first being "Remcos Rat" and the second "Quasar Rat." Each case has an associated executable file, with "Remcos Rat" linked to "gbrem.exe" and "Quasar Rat" connected to "gbquas.exe." Both have specific identification codes and share connections with three IP addresses.
Figure 6. Remcos Rat and Quasar Rat malware samples using the same beacon IP addresses.

Figure 7 shows the obfuscated code from the Redline Stealer sample revealed by disassembler IDA Pro.

The image shows a screenshot of computer code in a programming interface, highlighting various methods and instances within a structured block format, used for software development or debugging.
Figure 7. Redline Stealer sample.

Figures 8 and 9 show the IoCs that we were able to extract from one of the Redline Stealer samples. Using MCE, we could easily identify and extract the C2 domains from memory.

A close-up view of hexadecimal code on a computer screen, with subsections highlighted in pink. The visible part of the code includes a sequence of numbers and letters indicating data values.
Figure 8. Memory snapshot from analysis of a Redline Stealer sample shown in a hex editor.
Image displaying a diagram of Redline Stealer malware samples and their related domains. The SHA hashes are on the left and point to the IP addresses.
Figure 9. IP addresses for C2 servers extracted from two Redline Stealer samples.

Our automated analysis of the last two binaries hosted on the Bitbucket repository revealed they are Vidar Stealer. Figure 10 shows a flow chart diagram for the configuration unpacking routine.

Computer screen displaying multiple windows of code debugging software, with a focus on Java programming. The main window shows a method invocation in a code editor, and other smaller pop-up windows highlight variable values and memory addresses during a debugging session.
Figure 10. Vidar Stealer packed sample.

The MCE component of Advanced WildFire was also able to easily identify and extract these embedded C2 server information from memory as well. Figure 11 shows configuration information in a memory snapshot from one of the Vidar Stealer samples, and Figure 12 shows the C2 server information from both Vidar Stealer samples.

The image displays a hexadecimal code dump highlighted in shades of purple and red, indicating a focus on specific segments of data for analysis or debugging.
Figure 11. Memory snapshot from analysis of a Vidar Stealer sample shown in a hex editor.
Image displaying a diagram of Vidar malware samples and their related domains. The SHA hashes are on the left and point to the IP addresses.
Figure 12. C2 server information extracted from the two Vidar malware samples.

Conclusion

This post reveals the importance of accelerating malware analysis, because we often have no time for individual analysis on large groups of malware samples. We encourage readers to use whatever tools you have available to accomplish this. Our examples from this article show how we use the MCE component of Advanced WildFire to save significant analysis time and focus on identifying related IoCs more efficiently.

With the analysis, we could quickly determine the malware families of our newly discovered samples.

Quicker analysis enhances our ability to detect, analyze and develop effective countermeasures against malicious software. Furthermore, by sharing this quickly gained information, we can collectively stay ahead of cybercriminals to help safeguard our digital systems and networks.

Palo Alto Networks customers are better protected from the threats discussed in this article through the following products:

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

SHA256 Hashes of the Second Stage Payloads

  • 50351b1ff64cd2e8d799f5153ff853a650e8782c49f241a123c8779ff3fa2a3d
  • 5b8e99a46d7c077152ef954e74a2ff1ad3de0adb34aa0b96f6f02fa60426d12f
  • d69fe5cb1ded3aaa9a8b64824d820a72da0a1d43c9298cfcb5072f0060aefb8c
  • 04ec79fb6e3260c8db46aea8e5cc6a42ad6e2af1c7c0cf46866a06b4acb98bae
  • 504a6b8ce51c3be7de7e74c98c6da3fe12b186f634c441b43fa21f3350b7f1a3
  • 101b9564ba11aa44372b37b1143eac0d5dd1e3f38c6a35517de843b9f23b3704
  • 09df06e192569b671d8f4b7587a5ba184392e80195968d0e4f1ab0c21de65c5e
  • e20124da608445d9df1c71b1ad3530331a86b773b0b2f6a43ad32ec3d061a297
  • 564d742044e5ac9f6279c01c5c29bb801606b63c6c2cbfc2af09d8f2a73b84a6
  • e8af36287e2270581fd5f2d28c6e0b83b337f58d430554d28dbf55d2ca09fcca

Beacon domains/IPs extracted:

  • 104.21.32[.]12
  • 142.132.232[.]235
  • 172.67.182[.]33
  • 177.105.132[.]124
  • 177.105.132[.]70
  • 5.42.64[.]67
  • 77.105.132[.]70
  • 82.147.85[.]205
  • assaultseekwoodywod[.]pw
  • cakecoldsplurgrewe[.]pw
  • chincenterblandwka[.]pw
  • dayfarrichjwclik[.]fun
  • diagramfiremonkeyowwa[.]fun
  • http[:]//128.140.69[.]37:80
  • https[:]//steamcommunity[.]com/profiles/76561199588685141
  • neighborhoodfeelsa[.]fun
  • opposesicknessopw[.]pw
  • opposesicknessopw[.]pw
  • pinkipinevazzey[.]pw
  • politefrightenpowoa[.]pw
  • politefrightenpowoa[.]pw
  • ratefacilityframw[.]fun
  • reviveincapablewew[.]pw

MITRE ATT&CK TTPs – created by AI

  • Malware Analysis – TTP ID: T1203
    • Automated extraction of configurations from multiple malware families to speed analysis.
    • Utilization of Malware Configuration Extraction (MCE) to identify IoCs quickly.
    • Sandbox runs to detect and parse configurations from memory.
  • Command and Control – TTP ID: T1071
    • Extraction of command and control (C2) addresses from malware samples.
    • Identification of shared C2 server IP addresses among different malware samples.
  • Obfuscated Files or Information – TTP ID: T1027
    • Analysis of obfuscated code in malware samples to extract configurations and IoCs.
    • Decryption of encrypted configurations, such as those using AES and Base64 encoding.
  • Data from Information Repositories – TTP ID: T1213
    • Pivoting on known malware samples to discover additional related samples in repositories.
    • Utilization of Bitbucket repositories for hosting malware payloads.

Source: Original Post