Recently OneNote files are being abused a lot to carry malware and users are being tricked to execute the same. This count has increased in the last couple of weeks.

The sample under consideration was a .one file in the wild carrying the RedLine info stealer.

Figure 1 – VT detection

The .one file just had a simple dialog box saying ‘Double click to view’.

Figure 2 – Batch file hiding behind the dialog box

However, when we drag that dialog box we see a batch file named xxx.bat under it. Placing the cursor over it shows the desktop name of the machine where it was inserted into the .one file.

Figure 3 – Malicious batch file

The contents of the batch file are not straight forward. Variables present were combined during the runtime into the actual command to be executed.

Figure 4 – Contents of the batch file

The following are the commands that are decoded at the run time.

Figure 5 – Decoded commands

After this, in the following section of the  file another command that gets decoded in the runtime which shows that the batch file copies the PowerShell application and renames into ‘xxx.bat.exe’ and pastes it in the current directory.

Figure 6 – Copying & renaming PowerShell to the name of the batch file

Next in the batch file we can see some base64 encoded content in the middle which is a PE file.

Figure 7 – Encoded RedLine stealer in the batch file

Finally at the end of the file there is another command which executes the copied PowerShell to process the data that we have seen in the middle of the file.

Figure 8 – Decryption key, IV and decompression code

The commands from the figure 8 indicate that the data from the batch file gets base64 decoded then decrypted using the key and IV. At the end, data gets decompressed using Gzip.

We replicated this using Cyberchef and got the payload. The payload is a .NET file which belongs to the RedLine stealer family. In dnSpy we can see that the filename is tmp5217.

We can see a lot of base64 strings that are passed into a certain function which decrypts using the key and IV that are passed as arguments.

Figure 9 – Decompiled code of RedLine stealer

The decoded strings are as follows.

Figure 10 – Decrypted strings that are used in the code

The strings can be decoded using CyberChef. This is explained very well here. The payload.exe is the resource in the RedLine malware. The payload.exe is decrypted using the previously mentioned function.

Figure 11 – Resource named payload.exe

The original name of the resource is pestle.exe which has a class named ‘Arguments’  that contains an IP address, key which is base64 encoded and is decrypted using XOR function.

Figure 12 – Encrypted IP and XOR key for decryption

The decrypted IP address is, which was up at the time of writing the blog. Once the ip is decrypted it makes a connection and transfers the data which we will discuss further in this blog.

Figure 13 – Making a connection after decrypting IP

Once the connection is started, we can observe the traffic through Wireshark. 

Figure 14 – Sending SYN to initiate the TCP connection
Figure 15 – Information asked by C2

The C2 asks for files with the extensions .txt, .doc and file name containing key, wallet & seed from Desktop, Documents. Then it asks for different browser data that are stored in the AppData folder.

It also asks the host for crypto wallet information if any present in the host machine.

Then the host responds to the C2 by sending data. It first sends information about the host.

Figure 16 – Time & OS information

After that it sends information about the host’s hardware.

Figure 17 – Hardware information

Then it sends information about the software in the host.

Figure 18 – Software information

And then the information about the current running processes are sent to the C2.

Figure 19 – Current running processes

The host then sends information about the browsers installed in the host.

Figure 20 – Installed browser details

After that it sends every file with the extensions .txt and .doc to the C2. We tested it by creating a dummy .txt file and we can see it in the Wireshark capture.

Figure 21 – Sending the decoy text file to the C2

We at K7 labs provide detection against such threats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date so as to safeguard their devices.


File Name: Love men

Hash : f510047d3e06f51cc81d0ad54c5fe079

Detection Name :  Trojan ( 0059ec2a1 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “RedLine Stealer spreading through OneNote”