Threat Research

eSentire Threat Intelligence Malware Analysis: Redline Stealer

Securonix

Redline Stealer is a popular credential stealer distributed via fake software and advertising channels, featuring obfuscation, loader capabilities, and C2 over a non-standard channel. The threat actor uses an AutoIt wrapper, a configurable loader, and a robust management panel to control data collection across hosts, with CIS-specific exfiltration restrictions. #RedlineStealer #AnyDesk

Keypoints

  • Redline Stealer is largely distributed through fake software, YouTube ads, and other third-party platforms.
  • An AutoIt wrapper and crypting services obfuscate the stealer binary, aiding evasion.
  • Loader tasks enable actions on the infected host such as file download, process injection, and command execution.
  • Redline communicates with its C2 over Windows Communication Foundation (WCF) using NetTCPBinding.
  • Redline explicitly avoids exfiltrating logs from Commonwealth of Independent States (CIS) countries.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The stealer is obfuscated using an AutoIt wrapper and crypting services. “AutoIt wrapper and various crypting services to obfuscate the stealer binary.”
  • [T1055] Process Injection – The stealer is injected into jsc.exe process after being decrypted by a rename AutoIt process. “the stealer is injected into jsc.exe process after being decrypted by a rename AutoIt process.”
  • [T1036] Masquerading – The threat looks for PSUAService.exe and uses a renamed AutoIt tool to execute when antivirus is not present. “If the mentioned antivirus is not present on the system, the malware will execute the main payload with the renamed AutoIt tool.”
  • [T1053.005] Scheduled Task – A scheduled task named Puoi runs every 3 minutes to ensure periodic C2 communication. “the scheduled task is named Puoi and is set to run the z file under folder %TEMP%zqNDtAgMrV … every 3 minutes”
  • [T1095] Non-Application Layer Protocol – C2 communication occurs via Windows Communication Foundation (WCF) with NetTCPBinding. “Windows Communication Foundation (WCF) with NetTCPBinding for C2 communication.”
  • [T1082] System Information Discovery – The stealer enumerates the host for browsers, FTP, security tools, software, and crypto wallets. “enumeration on the victim’s machine looking for installed browsers, FTP connections, security tools, software, crypto wallets”
  • [T1555.003] Credentials from Web Browsers – The stealer collects browser credentials, cookies, autofill data, and payment cards from browsers. “Grabbing cookies, autofill, credit cards, login, and passwords from browsers.” “
  • [T1113] Screen Capture – The malware collects screenshots among the data logs and system information. “screenshot” is included in the logs and captured data (e.g., Figure 9, Figure 44-45).
  • [T1041] Exfiltration to C2 – Logs and collected data are assembled and sent to the attacker via the C2 channel. “PartsSender class contains all the information (logs) that are sent to the attacker …”

Indicators of Compromise

  • [MD5] ee5c2ec0ec6d2b5b9c2396fb7513f83b – MD5 hash of the extracted Redline payload (Test.exe).
  • [Filename] Saputo.potm, Ritornata.potm, Imagine.potm – cab extractor contents embedded in the RCData cabinet file inside the AnyDesk binary.
  • [Filename] Test.exe – original filename of the Redline payload inside the CAB extraction.
  • [Filename] NTDLL.DLL – dropped into the TEMP folder as part of the runtime bypass technique.
  • [Filename] jsc.exe – target process injection host for the Redline payload.
  • [Filename] PSUAService.exe – renamed AutoIt loader used to bypass antivirus checks.
  • [Domain] tempuri.org – default WCF namespace for the C2 channel.
  • [Domain] example.com – direct link reference used in loader tasks (e.g., payload downloads).

Read more: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-redline-stealer