RedLine Stealer

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Type
Stealer
Origin
ex-USSR
First seen
1 March, 2020
Last seen
27 January, 2023
Also known as
RedLine
Global rank
3
Week rank
1
Month rank
1
IOCs
49711

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

IOCs

IP addresses
109.206.241.81
89.107.10.129
195.2.78.202
80.66.87.52
94.140.115.207
94.130.229.4
94.140.114.207
185.45.192.218
89.39.104.85
195.54.170.157
193.124.22.24
116.203.187.3
109.107.181.110
185.191.229.101
185.106.92.20
94.228.116.72
37.139.129.226
89.208.106.67
109.107.181.244
95.217.55.221
Hashes
e93e251f732561ea90a96f5c0d16a536ea95ab68b81c0c70c77efd1961d73c9f
0d40d44dc84a78702b1d7b0cda3b7fba5d90d58a4af02a0787cbf227a49632f1
2f2b059f28121a74d3d56189c02692387e5c0469f89ad091ee49a1eebce92cc2
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
7ff03ff25dfe67ae38fe0e8285e329c56f7dfcc222240a219c1bb9f99f27298c
cfbb9dbe8e285687927d388e3ceb085d7eef3fc17f79bf42ebb240d38c59733b
72e13ee3f2b24d3832d76a9356b89d3b0b4eaf04cd53a197e56447d00d72e418
d137f4c66fdf2e04bee5ec53984c9cc2000909d1ae1419db51403788c8674680
fc403247a6568968b1a03873057949a36f7e335d4a807a760aba45a2b4bc7910
58c689c8aafc6468473f505f737e4ea7ea732e52e5e7a74f1f4d7c357e885374
76a161ea65b5687ab323814c045971deab5a0ea11efca9a2ed7e29a3bdf9f32b
886c6ed25bd4aad7b2d1e5bc8ae51f555a69facaebfd49a1df94573394a0f9a6
27a9990b8f18b919d9cbfdac37f30e214b45092e4627206d033a5d9f3090ed28
7ba6a7b27fd9ea2c66b24c8c9d70db7d9046847ecd3e8e7b5f27373a8b8d97fe
a0186aa9fbea421795f6c4202eed13bae97b67de0be87c281fa5bc424da44d41
7c6768c3df66679759c311920c23a9474527e8c00cc64e708ef7d3cd3288f3ee
60c53aff261b756dd9f22d759688f3d0aa82ac200a29860dd021b168306d619b
83e127f63c712cb81aa0113d30dcad2ca0466e0c2a2e25e35dbd548a579c3825
5997f2dd2199549c99c8b9411841be40579c499cb692d2a78378984a85494c6d
083c83e3be8cd4424a6a8b1bf6f0a301971c07db14050db787d00a52521aabcc
Domains
pluto.iziis.ukim.edu.mk
vcctggqm3t.dattolocal.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
0.pool.ntp.org
bulbankonlne.email
bulbankonilne.online
de.heygamersnort.at
heygamersnort.at
cdnjsapis.com
bulbaknoline.online
unicr-client.online
mrcsecure.ru
winserver-cdn.at
ccsecure.ru
buddy-calc.at
securecc.ru
securemrc.ru
freshness-girls.at
drunt.at

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy