RedLine Stealer

2
Global rank
1
Month rank
1
Week rank
33352
IOCs

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Stealer
Type
ex-USSR
Origin
1 March, 2020
First seen
4 June, 2023
Last seen
Also known as
RedLine

How to analyze RedLine Stealer with ANY.RUN

Stealer
Type
ex-USSR
Origin
1 March, 2020
First seen
4 June, 2023
Last seen

IOCs

IP addresses
185.80.53.81
64.190.63.111
3.142.167.4
209.25.141.181
23.202.231.167
209.25.141.212
3.64.4.198
192.168.100.121
5.206.224.176
85.31.54.183
5.42.92.67
185.200.191.18
176.113.115.24
79.137.192.20
82.115.223.138
185.106.93.132
82.115.223.46
37.220.87.8
82.115.223.45
45.147.199.166
Hashes
161a3ba43eacb87cdd96ace82409f482c084fb3ee9d9e545f2842dcd41626c42
725c26f1ce66cb2dbf4e6ac8bc28107d0b8cefe6cfaf6c4fb8b344e4146203eb
3ce531329e5ad3a884f61e155a78fc0e0e60c39cf2c65f5b90a0bc39049642fd
a78bf36d11d8804d64b5f2bb4ec34e8b634031059b7cae7836ee21f46136b72b
a9e3991f1d6e26e53749f6a91b66f1a5e2bfe5cfea8e740597d5eb87cc1f2ec5
a266b24a28501dbbd279102070ad5c783b34be08bceb003a32211e8c40036ca5
060de2119b98d1b7cb157f16be2a5b1e2552fd1f02501db035a5f7ba52844268
8320029d525476de4776748dacda13725a8a34f05220e8198881593581678d46
c096a7418c44540ae5f91a2e08bb81070860c55751433ffc6e1ad7443c0290d9
bca1b2c5d24bed42a90450a53393d1612278794ebb8376642de0d113d96ba17d
f5ca6737b5dad1b2343a20296972a1f15fd350e99a75e174833ddb46ee1e5ebe
09457d6ebce7575d4593e86eada951b79b643f088ae01233c4c7022919a93ca5
356b42569e406ee4daa58a74b9313336b6d6f317f0a6a412239ad16156ee2265
98650c523ad8bef9041867d8299b3d1eff8195f3831c7948eb6115e3372c1a4b
d47924c62bad9d43755baabf40b91adfd6eaee8ed3f5d44d7e7920ba0d5e29ce
3d23353c30fbde00444a2fdfa2fb143e403268b1ac0339585be44af3efa7c241
bf06a153c2fe04c7985ee10c7bef47a659cd64b3098d339286661d072cece6dc
52cf763e913af1f9cb4cf3fc8b0047c3cee3dd39039de095a11317e0f2a65ed2
d0eeb3aa18751aa2edd44b21d571b47a5d7e930a376170323bbc8697b11c3721
d87d54c29d0935a9d7f509e861c51276c2ffbb374d51aadca072558eaee03b27
Domains
lombardodiers.net
www.lombardodiers.com
lombardodiers.com
painthenceforth.top
articulaterot.top
online-dib.today
meubs2pj.com
serviclubsiemprejuntos.club
beneficioypfserviclub2022.club
missrevolt.top
citisec-online.co
serviclubpromopuntos.club
ventinious.com
get-beta.app
www.aheatea.com
holdthismoney.site
lingaly.pl
jumpstart.store
recommendations.loopclub.io
assets.loopclub.io
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 307
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5382
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3236
comments 3

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy