Identified by @g0njxa, RootTeam is a GO stealer that can be built via a Telegram channel
https[:]//t[.]me/rootteam_bot. It has been confused with Bandit Stealer another GO stealer with similar functionality.
- RootTeam Stealer and overlap issues on Bandit Stealer rule detection
- Technical Analysis of Bandit Stealer
- RootTeam builder exposed on twitter
- New Info Stealer Bandit Stealer Targets Browsers, Wallets
- Yogesh Londhe tweet about the stealer
- GO IDA parser (works well!)
The sample is being delived via this url
The sample poses as free software and is delivered via a password encrypted ZIP file. The password provided is
2023. To infect themselves the victim must first download the sample then unzip it using the provided password and then launch the unzipped
Setup.exe PE file has a resource named
OUTPUT_BIN that contains shellcode and the encrypted stealer payload. The shellcode has 2 stages. The first is a simple obfuscation function that decrypts the second stage. The second stage is an XOR decryption loop the decrypts the final payload.
The decrypted payload is also UPX packed. Once unpacked the final RootTeam stealer is revealed.
The stealer method names and strings can be recovered using the IDA GO tool go_parser. Once recovered the functionally of the stealer can be determined based on the stealer function names prefixed by
RootTeamStl_. The strings are in plaintext including the C2 URLs.