RedLine Stealer

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Type
Stealer
Origin
ex-USSR
First seen
1 March, 2020
Last seen
17 September, 2021
Also known as
RedLine
Global rank
9
Week rank
1
Month rank
1
IOCs
9324

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

IOCs

IP addresses
23.202.231.167
79.174.13.108
185.204.109.42
185.230.143.48
192.162.242.94
185.206.215.216
45.9.20.20
45.156.24.97
80.66.87.32
45.66.9.155
65.21.131.29
80.85.137.119
3.68.106.170
95.217.248.44
185.250.148.221
185.215.113.98
80.92.206.118
45.133.217.148
45.133.217.148
194.87.145.184
Hashes
077f27529fa393ceb9bc6f3215b2d51a751a9720bda83605a089e33b5749e8a6
eafee164cc6c7cd4f545d5dd7bc9a10a931aa6c30162be00215520bb3b010fa4
99c4c6d1b92aae360164084a34c527513c04c683ed48257030915fbc442d1cad
edb8c977167a1103f09ea2eafada3f63d464fd45f8ee9c0b72d51167a349a819
870fca1ec4bfd83a616fd016818228413103c4e51aaa0827371e6f20de594243
efaf87da4c55ab7b0783a5f95103dedde720716c36b5173724252ed45c255fbe
a82b6f939bc334d7924931fbfd325a8c65156b889ef5ed4865873b6eb7678131
f8d91f4cc808efd7847ecf949ca9d58874d0ade5d086089f3c36e2a32737d3ce
06af378d14a23f6caeb52713ef0c984974874547b9ac41c86d2ce4c6554c20d2
3d5e94902b5d69afaf611973fba6aafc73229d45b9041990833fd7ba048dabc2
9f5106993fa4107b37fc4994dceadaaa904e91a5fee46970de3242c3c8867f84
f5ad5f72cdd46c72b9272c1df0a4294a5bbf7ff8857b603147ab4478773124d3
4fd12867571c0cc1f957cfdf5e1617ad2b494a92aa3ab5b3f04208d6c9112a3d
ebc085c6411aa252cfa4fef0c7c4953ab33cb5e2ae8b364768c3b75cf1d9a78c
6cbb387e8d08a7f00cd5bc82a20a2a788b11f12a07b6b590dfcfd93c36244a70
c1a742a2078dc5dd77050d7d3e825925490287f6e87ef9d0cb0c74a275ef7801
4e1ad22aae029411a7428fe62522e2b393a09fe3b10fbc3f916d41fd0b532dae
9546431cf9938789b4686f399713fae5a71c4f7467846aa5bec851379c4fb44e
9ba4c2c64fad7721534db33ca1da08ec4f916e8a24850876ee85e6d5394078a1
506d1afb21dc93f3a8d0a9ba6965f0a15bec343ebd27cd28e8a91bcc7cbf9a12
Domains
itroublvehacker.gq
erygcvt.cn
ktenergo.ru
qxq.ddns.net
demner.site
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
www.hanaleedossmann.com
rozmata.com
tollyplay.biz
kikedeoliveira.com
samnewbyjax.com
isns.net
192-168-100-87.abcdefghijklmnopqrstuvwxyz012345.plex.direct
corporacionrr.com
deepsouthclothingcompany.com
WindowsAuthentication324-49629.portmap.host
tachkaa.com
addio.space
ticket.ipv10.eu

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More