RedLine Stealer

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Type
Stealer
Origin
ex-USSR
First seen
1 March, 2020
Last seen
27 January, 2022
Also known as
RedLine
Global rank
7
Week rank
2
Month rank
2
IOCs
23153

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

IOCs

IP addresses
78.47.178.190
3.22.15.135
3.133.207.110
3.138.180.119
178.20.44.131
207.32.217.89
185.215.113.29
46.8.52.48
91.243.32.174
91.243.59.167
37.252.7.150
3.129.187.220
99.83.154.118
185.215.113.83
91.243.32.101
91.243.32.178
185.112.83.99
3.131.207.170
13.59.15.185
185.215.113.107
Hashes
a58a9bebcc7c22337536e3f7e34b7e6776be6e487a3985952eb0c0af2f3be9d1
df1bc35ddbe6a93b602569a2b026ceeaff6c5f92576a855b1b09ef9078d9768b
8370bc92f5cb661bd26f3bd5abb51f6d56c48acb438ae48aa3351044cd55678f
bbbd0f4f5e6b63549fe49c0cdc9809f9cb70c43a35783519f29301331676fe40
72d6c13caf04858e548d6203509d3449d70782d7d21e3d6b173ec810ec609553
4903c0e3ebf61b5b52aec0bd5d7f0dc762d96eee77d9ad078c2c1ac0da6c36ba
06be1e799a9c34d8fefb5eeaac780315c94f674113a5691e4daa409e5dec60ba
91be0ef6635c6d2430f006acbc090d03338d2eafe921c1cf72fbc8c077cb885b
627bc1e4c25d56aa3b16ec1ec8f98a2ff24d9ac18ef32c2dd59d1ea46f00e576
51ff857aa106cf4a31812aa2dd73dcd068cb4f03ae671be10dbee942a66ee488
bf61672accd50697d5273aa6b5f9032e9f008c85e57034b55d6954f25f38797f
0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08
f8598a6b77ff3795731c08c6fa8ac63a5250596dca2bad2297e57cbf9c0c04ec
7664fdbc2df316953231b32b75e67625ce6bbe537933441e2b081eaf45e35de1
782f3607d63d38bd59a78ae9f219ef092850f29c3da05c019594b44f53ac84ac
5121185d45278311c7c468a395fcf5330248fa5313600d35beb9fecf0e50af14
7de1d6871b83deefd60706fc87f03b1b57be6a259107c1f4e797eb386c5db464
aea026731a1a8dbddf40d3ce312f1adf33eba4df70bae2ad0ded4a030aa02075
75950b4e1cf81821410d281e7c70218d4ac81256bc38dddaa1c88bf7ffd8acfd
8f9b476ca61e4226256eb965787e1e41c93a599c6b43171d62ac4216904aafc3
Domains
4.tcp.ngrok.io
youareanidiot.org
www.thechiropractor.vegas
www.anderherzog.info
www.aqueouso.com
www.daniela.red
www.hempzone-cosmetic.com
www.rszkjx-vps-hosting.website
www.learnavstandards.com
www.collabasia.xyz
www.altshiftdel.com
www.kasikormbank.com
192-168-100-87.abcdefghijklmnopqrstuvwxyz012345.plex.direct
njxyro.ddns.net
isns.net
nixixir0909.hopto.org
googleupdate.hopto.org
filestlggtwerka.hopto.org
semirage888.hopto.org
trojenimadamim.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More