BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
3
Global rank
3
Month rank
4
Week rank
3083
IOCs

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Stealer
Type
ex-USSR
Origin
1 March, 2020
First seen
3 December, 2023
Last seen
Also known as
RedLine

How to analyze RedLine Stealer with ANY.RUN

Type
ex-USSR
Origin
1 March, 2020
First seen
3 December, 2023
Last seen

IOCs

IP addresses
194.49.94.152
82.115.223.72
38.47.221.193
45.15.156.142
176.123.7.190
185.222.58.243
185.216.70.238
91.121.67.60
135.181.129.119
194.169.175.128
185.65.105.197
68.67.203.28
194.49.94.77
91.215.85.23
193.233.132.35
45.15.156.167
185.222.58.246
77.232.39.164
194.33.191.60
77.91.124.86
Hashes
f9056423f67ae129475439f61196d0984078f779d819b2af21c33ca45aea3fa9
5f6fa4e0c24db73f81b5452397048174f0e779fc928b501aa288582a2472313c
ca09c4f29fe69c9cc1dca4cf640967329141a2ee7105cdf078abccf14c8edb58
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
24cde54ffb4f5c5f97204d3614e71a50c5fef9f9d495487eb90707a951c20b8a
e38d2e806efa284c129eca4aff2e81c6cc43f969c5603c2d48efda1a333746e6
412b00137253a3817f4987e250de0369a059626354f10522066c9b8f1455fece
3f9c5c35a9b26d717aaebefd7b8eb13cea876b7f561c247a49715307faa47ca4
2e4b184350f61fa493169ca820d9c488fd4c0dd4891d2bcc82b1d7cad137d4a4
71f7970d426cd684d6154eab67f0e7d5b494fea5bdf259d740d28732d0c9c3f9
0c017bce5477eed16c605172b78830e2b66398fbb882cb6582c316affc433751
976c94dae627a4899b4501b221c74558e965d29b9fbc6689060f44f93bb7426c
5fd7d8a189dd4e5cb0005d48508b4e6f88fe07550c83d3ac110656a8b558d3f5
9e8826ee49dd1fed2e144a48b659b44e3f9a65f9d90923994a231b9d672fa32d
f420b4771c951c07e8d8f91727edf3069f72d9d28b656748bb5f0e719c3067f4
d278fdd82c7df98c9b192b792355009c5e8c8fb8e4ba3a5f3d386b9d28c6e114
186edb45927e558b144a195c5aff382c7f884c08c36c80dff5a2c370bc4c0034
2e3eacc221560bc297574bd30da52d559ae466c2896ac783f9b2512fa2e69fcd
c454abdc581957189592bde41ef58f216e3a5495960ac162ab21a6380495c0b3
786ca1c46954b78190caa40868fe5155618bc5ea6e7a3acb325fe1f2eba6aec3
Domains
6.tcp.eu.ngrok.io
0.tcp.eu.ngrok.io
2.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
bonezarisor.xyz
s3r.ompan.top
m6o.braavaw.top
popshues.top
4.tcp.ngrok.io
daddy.linkpc.net
hidden.locati.top
mydesignht.onthewifi.com
6.tcp.ngrok.io
afgantrophy.top
vikaneleneer.shop
isahelyria.site
mcth.xyz
copy-marco.gl.at.ply.gg
URLs
http://185.222.58.246:55615/
http://185.222.58.69:55615/
http://194.49.94.11/
http://91.92.241.80:1337/
http://5.tcp.eu.ngrok.io:15426/
http://45.137.22.146:55615/
http://45.137.22.229:55615/
http://45.137.22.113:55615/
http://185.222.58.55:55615/
http://45.137.22.168:55615/
http://185.222.58.238:55615/
http://45.137.22.107:55615/
http://45.137.22.177:55615/
http://45.137.22.152:55615/
http://copy-marco.gl.at.ply.gg:51589/
http://raizen.serveftp.com:48770/
http://jul-nelson.gl.at.ply.gg:47198/
http://103.202.55.51:55615/
http://185.241.208.44:35361/
http://siyatermi.duckdns.org:17044/
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 142
comments 0
5 malware threats we discovered in the wild i...
watchers 345
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2314
comments 0

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy