Remoting software has been abused over the years with varying degrees of maliciousness; from Ammyy Admin con jobs, TeamViewer vulnerabilities, to today’s Zoombombing. The fact that most of these remote software have been whitelisted by AV vendors and that they can be run without the victim ever knowing about it, makes the problem even worse.

This blog gets into the technicalities of how TeamViewer is used to deliver ClipBanker Trojan and RedLine Password Stealer to the victim’s system. Here, we would be analysing the Password Stealer’s activity only. While tracking the activities of some malware, we stumbled upon a Bitbucket repository that was hosting some fake App installers which was uploaded by the user “Jorik” as depicted in Figure 1. Looking at the upload dates of the installers it is clear that the threat actor had been engaged in this activity since Feb 2020.

Figure 1: Bitbucket Repository

These fake installers are Inno Setup installers that require a password to install the appropriate files and all of this is done without the victim’s knowledge by using a parameter called verysilent as depicted in Figure 2. All the files that were dropped are depicted in Figure 3.

Figure 2: Password for Installer
Figure 3: Dropped Binaries

Once these files were dropped, a folder named PlayReady is created under %appdata% and all the dropped files are copied to this location using xcopy command and then a file named wmiprvse.exe is executed. This execution is done by using a bat file as depicted in Figure 4.

Figure 4: bat file

The wmiprvse.exe seen in the above image is actually a TeamViewer binary that has been renamed as “Wmiprvse.exe” in order to blend in with the crowd as this name is generally found in the list of running processes in all modern systems. When executed on its own, it does not perform any malicious activity because it is a legitimate file that loads msi.dll from System32 folder which is also a legit file. However in this case, when wmiprvse.exe is executed, it loads the msi.dll that comes with this malicious package instead of the legitimate file from System32. During execution, the control is given to the malicious msi.dll which is then responsible for contacting the malicious URL tg[.] as depicted in Figure 5.

Figure 5: Contacting Malicious URL

This URL is more like an ini file which gives us another URL as depicted in Figure 6. The 2nd URL is the one that is hosting the malware like RedLine Password Stealer and ClipBanker.

Figure 6: Content of tg[.]

The Redline Password Stealer is actually a MSIL compiled file. There are many packers/compressors and obfuscators out in the wild for MSIL based files, such as the Confuser Packer, SmartAssembly Packer, etc. In fact, Redline Password Stealer is using SmartAssembly Packer and can be deobfuscated by using the de4dot tool as depicted in Figure 7.

Figure 7: RedLine Stealer Obfuscated using SmartAssembly 

When the RedLine Password Stealer is executed, it first reports to the C2 at  http[:]//95[.]181.172.34:35253/IRemotePanel as depicted in Figure 8. The C2  instructs the RedLine client to GrabBrowsers, GrabFTP, GrabFile, GrabImClients, GrabScreenshot, GrabSteam, GrabPath for files ending with the extension *.txt, *.doc, *.key, *wallet, *seed in location %desktop% & %userprofile%. The response from the C2 also consisted of a list of blacklisted country names retrieved from schemas[.] This resource was not only outdated but when we accessed it there was also no content in it.

Figure 8: C2 Contact

The buildid of the client is mentioned as loshariki as depicted in Figure 9.

Figure 9: BuildId and user name

Apart from reporting to the C2 panel, it also contacts two other URLs, one of which is The intent of this contact is unclear till now. When the URL pattern is requested, it gives question id and answer id of the recent question and answers posted on the stack exchange along with the user name and account information as depicted in Figure 10.

Figure 10: Contacts

At the time of writing this blog, there were at least 40 unique submissions of the RedLine Password Stealer in VirusTotal for the past 30 days which connects to stack exchange and this suggests that the threat actor has been very active till date. We at K7 computing have detection for all such malware and tools. As we always recommend, use a reputed security product such as K7 Total Security to stay safe from any cyber threats.

Indicators of Compromise (IoCs)

MD5File NameK7 Detection Name
92c266fc98140a485fb46d6cc41fc0fcEarnCash.exe (installer)Trojan ( 005707621 )
7BB6B658088CD69DCA087E3A3F54AD73log2.exe (RedLine RAT)Riskware ( 0040eff71 )
759619A63D8E77772F9885204D071574msi.dllSpyware ( 005642861 )
92cec63e095be5beb1029220cb585144cli.exeTrojan ( 0056b5471 )
a5ac516f5d19428956a862795f1931b1red.exe (RedLine RAT)Trojan ( 0057124f1 )



Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “TeamViewer Abused to Deliver RedLine Stealer”