RedLine Stealer

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Type
Stealer
Origin
ex-USSR
First seen
1 March, 2020
Last seen
27 June, 2022
Also known as
RedLine
Global rank
4
Week rank
1
Month rank
1
IOCs
27094

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

IOCs

IP addresses
194.60.201.88
23.202.231.167
99.83.154.118
2.56.57.165
3.19.130.43
185.112.83.99
185.106.92.110
192.168.100.168
140.228.29.114
185.215.113.15
107.172.191.148
5.188.89.120
45.9.20.20
85.239.55.222
167.235.245.75
37.1.222.243
18.156.13.209
194.31.98.159
185.106.92.86
3.134.125.175
Hashes
2e2cf19be5bb1528ce8b5be5232070162d0d330a52ce2320ceb1f90a793ab432
ac34fe079ab502c1c68a55a77c09dac1f6839c036fb6eadb94d6046054e83b60
14f202a3252309fcc70005ece65dce8bb971b02966aabeff0f72b7e270fc32ae
e33d177503f4c8155b4c760aa72eb4122b8ad939d33cc005cc76218cff992dd5
88aadce8b680d800a8565a10ecc497bba921efe68aa2d3f2c64abde568bb4a87
0b415fb25372c8ffc50b48cbcff15724960005c37d18cf0606075bc99f5284d4
2dc1cab7d96a7f976f0c157eb50674fbd76abc747c596600e1d72c416d33ebfb
b18c5aa2ce4151567e51a93eca325f1147e67577661a8b97e2d2c1751893295a
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6
78856c513a82314f35463e8ab87250084fddb567e89dc9150cc2d65a292d919d
8d3a2476fa4a60206589024bad89dc463deb8dbbf786edc71b2178b46e6f9c54
7425f6854c3c0acd8c0c217ffb54e5380a0ff3e76f520c6f55114550834f0b0a
5c2e37a7b4578ca65511d0f7166fd581a5db05287de9f0752a5971002446a881
82242481cfc957fc4a2dc97e3eb3f308d9511ba66b515082ae7aa2c388ef9f4b
1feb6734650f330d5feb7ad1de6649222d70dd128c853070a756cd990a892820
8f99938c653caa00d68933ba20af31c2c69c9eff53a44d967af5f2f4c8cb938f
3503d8eb29b1faa60424bbb58e37e94a5916167c28bd40849bdab655f29f3e3a
5598d673e49764fb2d014c99bf99991b2838cc3799f894c2c45d87c46da932d8
861f82115decc24bbcc0a1584d3d360b2207a0b24677fb27413ce4af203197a1
de7f311dda323ba41134804e99e74f33366091b0c516dd6e52abf3faf57fc3eb
Domains
pluto.iziis.ukim.edu.mk
qxq.ddns.net
www.wakumo.store
myrror.co
natan6473-35193.portmap.host
HarbingerOfDeath-46635.portmap.io
Darkthug77-30738.portmap.io
Darkthug77-60570.portmap.host
Mafianclub-41203.portmap.host
zabihullah999-33690.portmap.io
plantita8484-35306.portmap.host
pekasiw-25658.portmap.host
windows-update.hopto.org
chrome-update.hopto.org
nugeri-49495.portmap.io
bujyriy-45592.portmap.io
rashiba-20552.portmap.io
exara32-64703.portmap.host
botellita3434-46423.portmap.host
lechita2323-27360.portmap.host

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More