Overview

Identified by @g0njxa, RootTeam is a GO stealer that can be built via a Telegram channel https[:]//t[.]me/rootteam_bot. It has been confused with Bandit Stealer another GO stealer with similar functionality.

The sample we are triaging came from @James_inthe_box twitter post with a link to the sample on AnyRun

References

Sample

The sample is being delived via this url https[:]//telegra[.]ph/Dead-Space-Remake-PC-Download-For-Free-07-07 AnyRun

Delivery

Stage 1 - Setup.zip

The sample poses as free software and is delivered via a password encrypted ZIP file. The password provided is 2023. To infect themselves the victim must first download the sample then unzip it using the provided password and then launch the unzipped Setup.exe file.

Setup.zip 88a44f77d9216b4c285329f5f13bcd948bca61e1b9bb4dafb541cc6ea68ce311
Setup.exe 9de0dfcf9baf669811374d2f6ed0a1182df8d0254cd210f6f2883c659014de5a Malshare

Stage 2 - Shellcode

The Setup.exe PE file has a resource named OUTPUT_BIN that contains shellcode and the encrypted stealer payload. The shellcode has 2 stages. The first is a simple obfuscation function that decrypts the second stage. The second stage is an XOR decryption loop the decrypts the final payload.

UPX Payload

The decrypted payload is also UPX packed. Once unpacked the final RootTeam stealer is revealed.

Analysis

e0cd16b3de1f8b6c91b3483e383199f691e935d3d4e1ed9e77f6f9aea929b68b

The stealer method names and strings can be recovered using the IDA GO tool go_parser. Once recovered the functionally of the stealer can be determined based on the stealer function names prefixed by RootTeamStl_. The strings are in plaintext including the C2 URLs.

http[:]//5.42.66[.]26/api/report
http[:]//5.42.66[.]26/upload/