Malware Analysis —Manual Unpacking of Redaman

  • Monitor browser activity,
  • Downloading files to the infected host
  • Keylogging activity
  • Capture screen shots and record video of the Windows desktop
  • Collecting and exfiltrating financial data, specifically targeting Russian banks
  • Smart card monitoring
  • Shutting down the infected host
  • Altering DNS configuration through the Windows host file
  • Retrieving clipboard data
  • Terminating running processes
  • Adding certificates to the Windows store

Packed Sample

PE Overwrite

Unpacked File

  • [in] CompressionFormat which is 102h
  • [Out] UncompressedBuffer Buffer which is [ebp+lpBuffer]
  • [in] UncompressedBufferSize which is [ebp+dwSize]
  • [in] CompressedBuffer buffer that contains the data in ECX which holds unk_403000 (encryption method)
  • [in] CompressedBufferSize which is the length 29CD6h
  • [out] FinalUncompressedSize which is the return stored at EAX

Unpacking the “Unpacked” File

  • 'A' stands for ASCII and 'W' stands for byte string and the 'A' calls are just the wrappers around the 'W' ones so placing the breakpoint at the LoadLibraryW will hit all the load DLL calls.

Conclusion

Resources:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store