Ricardo M Pereira

Ricardo M Pereira

Phishing Analysis: Notes from a rookie.

Malware analysis - Sharpil RAT (Infostealer Series)

2 minute read

Background

The Russian-speaking cybercrime underworld has been on the rise for several years now. This multi-million-dollar market attracts hundreds of individuals with varying levels of malware development skills.

As shown by Anna Lvova on gdata.pt this early stage Remote Access Trojan sample with Infostealer capabilities was first reported on April 17, 2024 by Yogesh Londhe on X. It features a limited set of functionalities and virtually no obfuscation. According to Cybersecsentinel, it has been distributed via phishing emails, deceptive Ads and through CVE exploitation.

Figure(1): The Telegram channel of Sharp Stealer. The price, at the time of gdata’s post, was 10$ (rent) and $30 (life-time) (via gdata.pt)


It seems to be linked to the Sharpil Stealer, which we were unable to analyze due to the sample being unavailable.

Static Analysis

Figure(2): PE file, C#/.NET binary, 5.5 entropy


Strings

Figure(3)


As a C#/.NET binary, we can try our luck and search for deobfuscated URLs/domains. Grepping for “http”, we immediately find a telegram “bot” URL, an API URL for a minecraft server provider (vimeworld) and multiple IP retrieval APIs.

Imports

Figure(4)


On the Import table, besides the http related functions, we also find process enumeration methods, cookie, VPN and social networks related functions, among others.

Code Analysis

On the main function, we can see it is downloading a string from a Telegram bot (C&C), which represents the actual commands being received from the operator.

Figure(5): Loop listening to the operator received commands


Commands

Let’s analyze the RAT’s functionalities based on the commands it can receive and process: Browser, System, Return, Exit, Show Command

  • Browser

Figure(6)


It verifies if multiple browser folders exist on the LocalData or AppData. If they exist, it sends a message to the operator. It is not exfiltrating any file, credential or data from these directories.

  • System

Fetches System info (OS version, host name, username, processor id, cpu name, gpu name, mac address, bios caption, and more) plus clipboard data.

Figure(7)


Figure(8)


That data is written to a file called “Information.txt”, which will be sent to the Telegram C2.

Figure(9)


  • Return

It resets/restarts the RAT.

Figure(10)


  • Exit

Terminates the process.

Figure(11)


  • Show command

It functions as the --help flag, listing all the commands that the RAT accepts.

Figure(12)


Exilftration

Two methods allow the RAT to exfiltrate data.

  • SendMessage method’s purpose is to exfiltrate “string” data to the Telegram bot.

Figure(13)


  • SenderAPI.POST is used when it needs to exfiltrate actual file data.

Figure(14)


Indications of Further Feature Development

This particular version is extremely simple and in an early stage. However, as we mentioned earlier, the developer clearly intended to continue its development. This is evident from the presence of the “Counting” class, which references potential future targets such as cookies, passwords, credit cards, bookmarks, Steam cookies, wallets, and many others.

Figure(15)


Basic Dynamic Analysis

Observing the network traffic and the process activity, there is the call - multiple calls actually, given it is in a loop - to the Telegram API (https)

Figure(16)


Figure(17)


IoCs

URLs: hxxps://api.telegram[.]org/bot7057429288:AAHYl5_27YU1Yjmuj33WKOqLVSgYtq3n-8k/getUpdates

SHA256: 1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef