def extract()

in nightMARE/src/nightmare/malware/redlinestealer/configuration.py [0:0]

• 26 lines of code
• 3 McCabe index (conditional complexity)

def extract(data: bytes) -> dict[str, str] | None:
    """
    Extracts configuration from a RedLine Stealer sample.


    :param data: The content of a RedLine Stealer sample.

    :return: The configuration extracted in a dictionary format of ip, id.
             None if extraction fails or encounters an exception.
    """
    pe = dotnetfile.DotNetPE(data)
    if not pe:
        return None
    us_stream_data = __get_stream_data(pe, "#US")
    config_match = CONFIG_RULE.match(data=data)
    if config_match == []:
        return None
    config_offset = __get_match_offset(config_match)
    encrypted_ip = __get_user_string(
        us_stream_data,
        cast.u32(data[config_offset + IP_OFFSET : config_offset + IP_OFFSET + 3]),
    )
    encrypted_id = __get_user_string(
        us_stream_data,
        cast.u32(data[config_offset + ID_OFFSET : config_offset + ID_OFFSET + 3]),
    )
    xor_key = __get_user_string(
        us_stream_data,
        cast.u32(
            data[config_offset + XOR_KEY_OFFSET : config_offset + XOR_KEY_OFFSET + 3]
        ),
    )
    ip = __decrypt_string(encrypted_ip, xor_key)
    id = __decrypt_string(encrypted_id, xor_key)

    return {"ip": ip.decode("utf-8"), "id": id.decode("utf-8"), "xor_key": xor_key}