File name:

Redline Stealer.rar

Full analysis: https://app.any.run/tasks/0c30eeff-3ac4-4e7b-b427-b97959f6da1f
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: October 05, 2022, 01:31:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
redline
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D7415F1D29E97D582C278CF3DF04ADE4

SHA1:

E4AB5E38EDC6A106CF6ED5A97DED120DF49650EE

SHA256:

4191CD799AD6D4F6D7ABDF79C91172FF042CA4C6ECC53F1F01BE5F673CAA9656

SSDEEP:

49152:03PZM4v/kvGmEr61v/onGCRh3un7ehyl3tR2:036o/uGTr6B/oGCLC33tQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3884)
      • RedLine.MainPanel-cracked.exe (PID: 2840)

    • Application was dropped or rewritten from another process

      • RedLine.MainPanel-cracked.exe (PID: 2840)

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3160)

    • REDLINE detected by memory dumps

      • RedLine.MainPanel-cracked.exe (PID: 2840)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3160)
      • RedLine.MainPanel-cracked.exe (PID: 2840)

    • Checks supported languages

      • WinRAR.exe (PID: 3160)
      • RedLine.MainPanel-cracked.exe (PID: 2840)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3160)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3160)

    • Reads Environment values

      • RedLine.MainPanel-cracked.exe (PID: 2840)

  • INFO

    • Manual execution by user

      • RedLine.MainPanel-cracked.exe (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs #REDLINE redline.mainpanel-cracked.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2840"C:\Users\admin\Desktop\Redline Stealer\RedLine.MainPanel-cracked.exe" C:\Users\admin\Desktop\Redline Stealer\RedLine.MainPanel-cracked.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
RedLinePanel
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\redline stealer\redline.mainpanel-cracked.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3160"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Redline Stealer.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
3884"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
2 065
Read events
2 034
Write events
31
Delete events
0

Modification events

(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3160) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Redline Stealer.rar
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
14
Suspicious files
5
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Newtonsoft.Json.dllexecutable
MD5:6815034209687816D8CF401877EC8133
SHA256:7F912B28A07C226E0BE3ACFB2F57F050538ABA0100FA1F0BF2C39F1A1F1DA814
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\MetroSet UI.dllodttf
MD5:F13DC3CFFEF729D26C4DA102674561CF
SHA256:D490C04E6E89462FD46099D3454985F319F57032176C67403B3B92C86CA58BCB
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.pdbbinary
MD5:C0A69F1B0C50D4F133CD0B278AC2A531
SHA256:A4F79C99D8923BD6C30EFAFA39363C18BABE95F6609BBAD242BCA44342CCC7BB
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.dllexecutable
MD5:7546ACEBC5A5213DEE2A5ED18D7EBC6C
SHA256:7744C9C84C28033BC3606F4DFCE2ADCD6F632E2BE7827893C3E2257100F1CF9E
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.Pdb.dllexecutable
MD5:6CD3ED3DB95D4671B866411DB4950853
SHA256:D67EBD49241041E6B6191703A90D89E68D4465ADCE02C595218B867DF34581A3
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.Pdb.pdbbinary
MD5:8E07476DB3813903E596B669D3744855
SHA256:AA6469974D04CBA872F86E6598771663BB8721D43A4A0A2A44CF3E2CD2F1E646
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\protobuf-net.dllexecutable
MD5:D16FFFEB71891071C1C5D9096BA03971
SHA256:141B235AF8EBF25D5841EDEE29E2DCF6297B8292A869B3966C282DA960CBD14D
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.Rocks.dllexecutable
MD5:C8F36848CE8F13084B355C934FC91746
SHA256:A08C040912DF2A3C823ADE85D62239D56ABAA8F788A2684FB9D33961922687C7
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.Mdb.dllexecutable
MD5:DC80F588F513D998A5DF1CA415EDB700
SHA256:90CFC73BEFD43FC3FD876E23DCC3F5CE6E9D21D396BBB346513302E2215DB8C9
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\System.Drawing.Pen.dllexecutable
MD5:1D4E91345A76C90E0849C9389E66FE8C
SHA256:1D820D1C1E9D661603CD32177FB128C9A6844FE2492B6FBB3120BD37553663B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Redline Stealer.rar