BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
4
Global rank
8 infographic chevron month
Month rank
8 infographic chevron week
Week rank
0
IOCs

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Stealer
Type
ex-USSR
Origin
1 March, 2020
First seen
14 September, 2024
Last seen
Also known as
RedLine

How to analyze RedLine Stealer with ANY.RUN

Type
ex-USSR
Origin
1 March, 2020
First seen
14 September, 2024
Last seen

IOCs

IP addresses
198.12.90.244
185.215.113.16
185.215.113.17
95.179.250.45
38.180.109.140
193.161.193.99
185.215.113.67
147.45.47.192
41.216.183.150
185.215.113.22
185.196.9.26
77.83.175.241
185.203.241.68
65.21.18.51
188.34.194.107
212.162.149.159
57.128.132.216
77.91.124.86
94.228.166.68
45.15.156.127
Hashes
3846491721b4e93c91fe3479cebb3d529dd9e73e6d371eec7fe8479bf2275925
c5d7031fbdf91e51914e466bdf7d23aab84a03c51195cb8e985347e86d77c8aa
4b42312ba8d78a9c8d45d03b92fe1f4eb43dd67ff0014fa263f29b537a6b4819
16daceb6077397737d36710ea560378df436dd3034134a25bf96a939594f5e49
c95c0658ba155437043f658e02d9df92b8fff98e4ace3e01e1826ea5cb4501f6
5ad941ef965799b116e49c2468f4c06148fbf7616127fb359982bbf071a09a26
1977e417e574af8be6c72e29b397434751b787b7d5c1b3d90d3b73459587d7e0
5d50a1577ee0791e7aba6bf8e679b4795d533a3daa54177ce8a0ec25cc8d3df2
4764b12d77cf75edd197f0b9de892a39a4024d6dd595f60b50afbf72850f7306
906f05d393fb44d249717c7cae76b8df9c9618c14a5a5987617901d688d17f74
d1f956f356ecc94fb6128c489a768830be48bc7bb163ef7c541369573034dd35
60543f63bdb95aa5eb03e848218983566c48fac35caa005209214b7ea70e5c09
c911ac775e74a5d1c218e24cf546a07fcb2e7494af88f0f7db723dfabc72d4ed
a79c009161c79ceb92347094b72a5158091a8e547ecf39e925b45c75d319ceda
ddad760e7a0c1005b5ac2ffd71d57bdd02a0140be88cdeef9c2b3ee34941ea98
4626dcf98e2ab16c4de3dd287cf345a810d84f547ae6f926a8f477d547a9a0b1
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6
a422b46648f7a3684ef7aad22069f07a6f4875f3a227796e46e5c439ba6a4d44
ac7432f71444fc21a37196920b1768803813bae3d9b516d6fb170d49172ff60e
dcece61aed7806cf8292baabb6fda7c0bedca94b3626f4323b32d5574e11e792
Domains
0.tcp.eu.ngrok.io
server.underground-cheat.xyz
4.tcp.eu.ngrok.io
4.tcp.ngrok.io
7.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
hoopertino12.top
djpopertop.top
young-mailto.gl.at.ply.gg
2.tcp.eu.ngrok.io
daddy.linkpc.net
6.tcp.ngrok.io
duclog23.duckdns.org
billred229102.duckdns.org
thomas-partly.gl.at.ply.gg
amrican-sport-live-stream.cc
strategy-surfing.gl.at.ply.gg
pst-child.gl.at.ply.gg
list-enjoyed.gl.at.ply.gg
microsoft-andreas.gl.at.ply.gg
URLs
http://185.222.58.233:55615/
http://91.92.253.107:1334/
http://45.137.22.239:55615/
http://185.222.57.91:55615/
http://45.137.22.169:55615/
http://45.137.22.171:55615/
http://194.49.68.19:4483/
http://45.137.22.179:55615/
http://62.113.117.95:29928/
http://45.137.22.164:55615/
http://154.91.0.57:28105/
http://51.222.21.20:1334/
http://45.66.231.184:1334/
http://51.89.201.41:29254/
http://duclog23.duckdns.org:37552/
http://212.224.93.60:51914/
http://204.14.75.2:16383/
http://billred229102.duckdns.org:26546/
http://143.244.169.95:16383/
http://185.222.57.151:55615/
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Now Integrates with Splunk!
watchers 314
comments 0
post image
How to Analyze Malware in ANY.RUN Sandbox: Er...
watchers 363
comments 0
post image
Security Training Lab: Educational Program fo...
watchers 1160
comments 0

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More