BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
4
Global rank
8 infographic chevron month
Month rank
5 infographic chevron week
Week rank
3400
IOCs

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Stealer
Type
ex-USSR
Origin
1 March, 2020
First seen
14 July, 2024
Last seen
Also known as
RedLine

How to analyze RedLine Stealer with ANY.RUN

Type
ex-USSR
Origin
1 March, 2020
First seen
14 July, 2024
Last seen

IOCs

IP addresses
89.23.101.114
1.2.3.4
77.91.124.55
185.215.113.67
77.105.135.107
212.162.149.77
91.92.245.105
91.92.249.24
204.10.160.198
91.92.243.245
172.81.131.198
185.196.9.26
94.228.166.68
89.23.96.98
185.172.128.33
4.185.56.82
185.91.127.219
84.38.134.17
46.183.222.27
95.217.197.197
Hashes
56a2ce8e0e57dac8472377f2f3c4286a72ffe1326ee568b9632ce7d25961bbe0
303beac4f4f77b0b7c6ca8e9941594b740f2ddcf411e75d8b956362c26378c26
96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
fd0625127c2d57a7509ed9da03d184ea7e40a7fcbf39fb08ce6bdb30ae6bf051
9380a1586667e94d7aeaaea043a6d7ee79bc2bf11507e36dee25ee0a80fabb3d
35ca759244d2cf56f01342a92ff0fef63c96d26fb8a4b5b36a04ed1fe4dc34ff
5ad941ef965799b116e49c2468f4c06148fbf7616127fb359982bbf071a09a26
5d50a1577ee0791e7aba6bf8e679b4795d533a3daa54177ce8a0ec25cc8d3df2
9a72adec6cff3b0e01deb274a67469cb4226bdf7794010c39425806538275e84
6274ee3d950476fbe54431553a2353fd1f77cdc95f89ae19e71e6250de6b9087
88fdfe1871031c0b99c274a6ecd25db501a4e8ddcd80eb52199c8fa8572c32a0
2b8416027771d98074103d1b3e795cb8f458d4b56c1f01c50bba0b9cc291de4f
cccd52f20b805e1df2920afa9a4abc78aefcff907e99ed7f94fdb46a889d30c6
5fd7d8a189dd4e5cb0005d48508b4e6f88fe07550c83d3ac110656a8b558d3f5
117d94b91f527bf933376224c51e8eda685db33fe56c698e04d55fbf0a90be46
e748eb9edda2ec9503bd01137e398e447294a6796d9c52618d07c03601822b29
cc7bcdfee502f5cc0c042b3a97ef737afa5cccb46a2dadaa02bcf74faf6fd8ac
c2336dd716a9874b88aeb21a831551bddc54483b1e865ecdb49481c0af430984
e298f86eab0e2f44603b7640af6f89269dd2e00115e778f3d2e6bddde0a5f39c
Domains
amrican-sport-live-stream.cc
5.tcp.eu.ngrok.io
list-enjoyed.gl.at.ply.gg
microsoft-andreas.gl.at.ply.gg
yabynennet.xyz
2.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
0.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
daddy.linkpc.net
people-climbing.gl.at.ply.gg
0.tcp.in.ngrok.io
ns.edahua.top
4.tcp.ngrok.io
6.tcp.eu.ngrok.io
beshomandotestbesnd.run.place
viacetequn.site
diyndishad.xyz
siyatermi.duckdns.org
rights-mountains.gl.at.ply.gg
URLs
http://161.129.65.145:4483/
http://45.137.22.124:55615/
http://185.222.58.91:55615/
http://79.110.49.209:37552/
http://185.222.58.79:55615/
http://95.142.46.3:49743/
http://185.222.58.77:55615/
http://45.137.22.68:55615/
http://45.137.22.67:55615/
http://beshomandotestbesnd.run.place:1111/
http://94.156.8.28:65012/
http://94.156.8.229:1334/
http://195.10.205.91:1707/
http://64.188.27.210:4483/
http://91.92.252.220:1337/
http://91.92.243.131:15108/
http://172.86.101.115:4483/
http://162.120.71.68:4483/
http://91.198.77.158:4483/
http://91.92.254.174:1334/
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q2, 2024 
watchers 1345
comments 0
post image
A Guide to Common Encryption Algorithms in Mo...
watchers 361
comments 0
post image
Search for Network Threats by Suricata in TI...
watchers 685
comments 0

What is RedLine Stealer?

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause financial loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

General description of RedLine malware

RedLine is an infostealer that takes information about users from browsers, systems instant messaging, and file transfer protocol clients. The main target is passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency.

The malicious program acts as a typical stealer such as Raccoon or Pony: it uploads and downloads files, executes commands, and reports information about the infected machine. Moreover, attackers make use of RedLine to deliver ransomware, RATs, trojans, and miners.

The infostealer is quite popular as there is no problem finding it. Underground forums, C&C panels offer different options such as malware-as-a-service versions or a subscription. The price varies from $100 to $200.

One cannot tell that RedLine Stealer is a sophisticated malware like ransomware. It has the usual features typical for this family. However, it is .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Cybercriminals also work hard to update malware, like downloading secondary payloads and advanced filtering features.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

RedLine malware analysis

ANY.RUN allows researchers to perform the analysis and watch the RedLine in action in an interactive sandbox simulation

redline stealer process graph

Figure 1: Displays the lifecycle of RedLine in a visual form as a process graph generated by ANY.RUN

redline stealer report

Figure 2: A customizable text report generated by ANY.RUN allows users to take an even deeper look at the malware and helps to share the research results.

RedLine Stealer execution process

Typically the execution process of that stealer is plain and straightforward. Based on the analysis, the main binary launches itself and the parent process stops. It also may be dropped from another binary or be the main binary itself. When a child process is created, the main malicious activity starts – RedLine collects information from the infected system such as passwords and others, and sends it to the Command & Control panel. When all information is collected and sent, the stealer just quits execution. Stolen information is sent in both non-encrypted and base64 encoded formats.

Distribution of RedLine

Attackers are not very creative with the delivery method of the virus. However, as the ransomware story, the method works perfectly – social engineering for different email campaigns including business email compromise, spam, fake updates, ads in Google result in malicious attachments or links. We can notice the big variety of file formats here:

  • Office
  • PDF
  • RAR and ZIP
  • Executable files
  • JavaScript

If you open the files in the attachment, RedLine will download other malicious programs.

How to detect RedLine infostealer using ANY.RUN?

At the moment, analysts can quickly recognize the info stealer because it will be tagged after Suricata IDS rules are triggered. Since the malicious program sends the stolen info to its panel just right after the start of the execution, it won't take a lot of time.

Conclusion

The best way to protect your organization or device from RedLine is to be cautious with suspicious files and links that get into your email. Your staff should be aware that even trustworthy sources can lead to infection and password or other credentials’ theft. It won’t take long to check a file in a sandbox such as ANY.RUN. Several minutes will be enough to detect RedLine and you will be good to go. Stay safe.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy