Analyzing the RedTiger Malware Stealer
Analyzing the RedTiger Malware Stealer
Today we’ll dive into a fresh malware stealer dubbed RedTiger, a sample targeting personal user data, particularly Discord tokens, browser-stored credentials, and gaming accounts. This stealer, like many others seen recently, heavily leverages Discord webhooks for Command & Control (C2).
SHA256: b8d1c0436023bf58ea7b0f530ea37ae67bac0e956d9c93376702b4832055e0fd
Distributed as: Phantom X.exe
Deobfuscated sample: https://github.com/cyb3rjerry/revengd-malware/tree/main/redtiger
How I found this sample
As usual, I grabbed this malware sample from tria.ge after spotting it flagged as malicious.
Dissecting a fresh BlankGrabber sample
Dissecting a fresh BlankGrabber sample
BlankGrabber is nothing new. It’s been documented by multiple companies such as ThreatMon, K7Security and has even had it’s source code disclosed on GitHub. So why exactly are we looking at a well documented and even reversed sample? Because there’s more than just the final payload. We a fresh unaltered sample, we get to look into how the sample gets dropped and loaded!
Threat hunting for shits and giggles [Part 1]
Threat hunting for shits and giggles [Part 1]
I’ll start by saying this post is not endorsed by hunt.io. I just happen to be a really big fan of what they’re doing.
Some hackers suck at OpSec
Not all hackers are the smartest. If you’ve ever played with Shodan or Censys, you’ve most likely come across open directories. What’s an open dir? It’s essentially when you expose the entire root of your website. It’ll typically look something like this: