BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
3
Global rank
9 infographic chevron month
Month rank
13 infographic chevron week
Week rank
3304
IOCs

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Stealer
Type
ex-USSR
Origin
1 March, 2020
First seen
22 May, 2024
Last seen
Also known as
RedLine

How to analyze RedLine Stealer with ANY.RUN

Type
ex-USSR
Origin
1 March, 2020
First seen
22 May, 2024
Last seen

IOCs

IP addresses
5.42.65.115
185.237.165.180
185.172.128.33
95.217.152.142
5.42.65.85
147.45.47.93
45.15.156.167
185.215.113.67
103.74.106.117
5.42.65.77
185.161.248.75
185.172.129.61
45.147.198.7
94.156.8.28
193.161.193.99
65.108.69.168
159.69.246.184
45.153.186.187
91.92.251.179
79.137.192.7
Hashes
0acd3472f850ef8d3e5867417f1551c1b061ad503f1c6accc9ffc87320386d05
d0c5c16464ddc00beefbc6ea9dc81ecdcc78797cdc89f2a5ad89588b23b79bb7
661b9f4bedab8c94d71400c1fe55481c239145fcc85839b254c4a3e311aa8146
2c2ea614b5460f650653b1f84a55fe0d2447bc6c5284a1d8f67b70b629098809
7cba1d16540b3aaa668e65321a1bbda66fecc9f128f88b1e8a9342fe112951d6
45b6def20feedd1394fbf0c6c8884932836b315bd8acf4c03808f293628a1ca0
c6042a41a179c8c8a525a5fde7dd8617cbafa51ae5c19320bc661d86adc5465b
5e948a6d2ac9d5bc7b55ae54d9b6079d7669b9cea5e7fb4f0ef4774d2f3abf6f
3f6623052fd28adbaa40055250b7febee05efab0caad07b75aa8cc5dd1834c34
bd40ae0f9a2ee01b7156fb13219c0163738c64084eb5eba7ad69346918876c48
35d5a9f5cc15f80c1f63812a92c09d91e423040a7b1f17ce91199be5a0102218
54d2ae0a84ae282015105a2504818912ffee3c431cc5745db85b982dab513341
6274ee3d950476fbe54431553a2353fd1f77cdc95f89ae19e71e6250de6b9087
41352e9771b906b5913a9e6a9ecd3fe423bc3e91993a5373a67f7226a6eb6abf
4525b27628224b28d7e41c81acf35d294afce957accc1820122c9ffae57a0fa6
c0f594a7b596ae837b66e85288976bfe55077d510d841cdfe41a0e42325f6c6e
be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
e36f12d9c4bda01b7e6b24a8ddb0736d9cff633d7314c8521af761e4095e1193
c2336dd716a9874b88aeb21a831551bddc54483b1e865ecdb49481c0af430984
279bb98c565cf83926214d8a4511f001c60bdcc083ea87e1e55960297d415e98
Domains
0.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
6.tcp.eu.ngrok.io
beshomandotestbesnd.run.place
viacetequn.site
diyndishad.xyz
7.tcp.eu.ngrok.io
0.tcp.in.ngrok.io
siyatermi.duckdns.org
rights-mountains.gl.at.ply.gg
2.tcp.eu.ngrok.io
jennerardar.xyz
diosadbauas.tk
4.tcp.ngrok.io
jalocliche.xyz
chardhesha.xyz
gallery-gulf.gl.at.ply.gg
ae1.localto.net
6.tcp.ngrok.io
URLs
http://94.156.8.28:65012/
http://beshomandotestbesnd.run.place:1111/
http://94.156.8.229:1334/
http://195.10.205.91:1707/
http://64.188.27.210:4483/
http://91.92.252.220:1337/
http://91.92.243.131:15108/
http://172.86.101.115:4483/
http://162.120.71.68:4483/
http://91.198.77.158:4483/
http://91.92.254.174:1334/
http://185.172.129.234:34244/
http://185.147.34.93:55615/
http://93.123.39.68:1334/
http://185.222.58.67:55615/
http://45.88.186.20:61188/
http://94.156.66.169:1334/
http://103.173.227.25:12664/
http://91.92.255.187:1334/
http://82.147.85.198:9180/
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 51
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 723
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 570
comments 0

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy