Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
7
Global rank
19 infographic chevron month
Month rank
24 infographic chevron week
Week rank
0
IOCs

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Stealer
Type
ex-USSR
Origin
1 March, 2020
First seen
29 September, 2025
Last seen
Also known as
RedLine

How to analyze RedLine Stealer with ANY.RUN

Type
ex-USSR
Origin
1 March, 2020
First seen
29 September, 2025
Last seen

IOCs

IP addresses
185.215.113.43
185.215.113.217
185.215.113.16
176.111.174.140
185.81.68.147
1.1.1.1
193.161.193.99
167.99.211.66
185.65.134.165
206.123.140.95
116.203.252.195
37.235.48.20
147.185.221.223
76.8.53.133
193.233.48.17
185.106.92.86
185.174.136.46
147.185.221.211
78.153.130.88
193.124.22.17
Hashes
c57923aa08a4903064963b19701b292d649cc5c5e16cdf7741f4724ba77e45dc
90522e6a880f6a97719035e3945da1c0c0384f154cf631732ea16a3a9f827b7c
c41873f177a61ec1e1cb628db96cddd70204b8a530e392bf210d7d4136be7375
f9056423f67ae129475439f61196d0984078f779d819b2af21c33ca45aea3fa9
980d48f8f67dd065958d6c970572e7cda506423d45c591c0b2f4e1d8abea71b9
927b40ed84cc687f71dd8df218c5ac8472db12421487f69de84b26de2f061eb7
e740a5b0731edc97334f8d4c9fd75ba79bdc161a381ffe643aee86c7d79451eb
69587ec2c3e810dc6fca35c13341907fe7a96a24a4222589b72ef97b80e820f4
95ee8a666f65df5de6328f9f0069e04018e1831ea6d7712f06b6bee804cd86ac
056db50822f884eb4e4f36d5f2c4dd842718e4597ce79a7b6a80d2e71c020c9d
7c7d8541766ddad17d9735ed7183d3d7e3433ea580258ed89f465fc8e91d3b82
c1354dcaa9389550c2013e23418bb5c71474b6c368f8e68e51e31faa64ba4ea1
58062bd86e000442f67b3f48bf9106c5a034917e6c198bcfc7065b083c1485c9
e1421a23f843ee01269aa82ea80d1fb517ea7e5eca28f06990e8658fd2849784
2f74bff32ab2d757c7ff5e771be792eac495e84ec7e50cd7541e3fb8a1fdaf61
f9932b364f52c6fe0191e34ddcba772df8460bf579f422cabd93ca192bb3e1a6
a0a0668890035cec129a8cb361562910a319b29c63a5fa59654d4aa1c20d12db
775678e2de0dcdb10f7689c5978f5a7b9d99c8d8d3ccb0a63175f4b78bf3da09
5bfe42139157de0d0c73ccea8bbf24f8368444cfd5bb4b58300d902bbfa48848
7955f285a2e64fcedc8a876dd5f753f781f2b346d81e0905dd1479c7c3e52609
Domains
google.com
0.tcp.ngrok.io
0.tcp.eu.ngrok.io
2.tcp.eu.ngrok.io
2.tcp.ngrok.io
4.tcp.ngrok.io
4.tcp.eu.ngrok.io
0.tcp.in.ngrok.io
6.tcp.ngrok.io
8.tcp.ngrok.io
6.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
exploitt.duckdns.org
5.tcp.eu.ngrok.io
0.tcp.au.ngrok.io
thuglifezzz.duckdns.org
5.tcp.ngrok.io
zera.hopto.org
nicehash.at
burunadam.duckdns.org
URLs
http://185.159.129.168/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys
http://45.12.253.208:3030/
http://136.175.8.52:29509/
http://4c39-20-107-12-236.ngrok.io/
http://109.107.177.164/
http://siyatermi.duckdns.org:17044/
http://84.38.132.100:29934/
http://103.170.118.35:12664/
http://141.98.6.177:1334/
http://4.tcp.ngrok.io:14019/
http://65.108.24.105:2017/
http://micro.giize.com:17044/
http://51.142.250.79/
http://5.42.92.122:34244/
http://87.120.88.63:65012/
http://85.217.144.184:38329/
http://85.208.139.125:17960/
http://193.233.255.86:30607/
http://194.59.31.148:62099/
http://18.133.225.113:32432/
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 559
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 2412
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 1020
comments 0

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

HAVE A LOOK AT

Akira Ransomware screenshot
Akira Ransomware emerged in March 2023 and compromised over 250 organizations by January 2024 with approximately $42 million in ransom payments. It employs double extortion tactics exfiltrating data before encryption and threatening to publish it on a dedicated website.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
DarkVision screenshot
DarkVision
darkvision
DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
HijackLoader screenshot
HijackLoader
hijackloader
HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.
Read More