Dissecting Redline Infostealer traffic — a SOAPy endeavour

Pictured: A typical Redline Infostealer operator after you’ve finished this article
Redline is by far the most popular source of stolen credentials on russianmarket
You shoud follow @vxunderground on Twitter. No, really. Do it now. I’ll wait until you return.
It’s alive! But still not logs. Which is sad.
There are multiple calls to “InstallManager.RemoveCurrent” which are called when something goes wrong
Just close the application instead of deleting the whole file
Your first log!
Look at this bad boy!
Delete VMWAREHOSTOPEN.EXE and try again
Much better — From an attacker’s standpoint.
In the lower panel you are able to manipulate the values
Looks like it worked!
SOAPy!
Python is your friend in this case
No one likes XML, right? Right? RIGHT??
Whoever finds the typo can keep it
Our replay worked as expected. Neat!
Much better! Redacted like a pro!
The number of logs is too damn high!

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Monitoring Automation, Series 1 : DataDog Synthetics Terraform

An Introduction to Atomic CSS

Studying your craft is essential as a Software Developer

‘How to install selenium with python

The path to education through code

Cloud GeoServer in 20 minutes

Pathfinding with Flutter and Dart

Automating database migration on GCP with Ansible and Terraform

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mario Henkel

Mario Henkel

More from Medium

Why Hunting For LOLBINs Is One Of The Best Bets

PrivateLoader to Anubis Loader

Catching Flies in a Tpot with Honey

Hunting the Remastered Gucci Botnet