Threat Research

A Detailed Analysis of the RedLine Stealer

Securonix

RedLine Stealer is a data-collection malware distributed as cracked software that harvests browser data, cryptocurrency wallet credentials, and other applications, then exfiltrates the results via SOAP to a hard-coded C2 server. The report details its deployment, deobfuscation, cryptographic handling, wallet targeting, and broad system information collection and exfiltration capabilities. Hashtags: #RedLineStealer #DuckDNS #ArmoryWallet #ExodusWallet #NordVPN #Discord #Telegram #FileZilla

Keypoints

  • RedLine Stealer is distributed as cracked games/apps and targets data from browsers, crypto-wallets, and various apps (FileZilla, Discord, Steam, Telegram, VPN clients).
  • Initial dropper masquerades as a Netflix checker and decrypts a resource to %AppData%, then launches the main payload.
  • The stealer uses AES with hard-coded key/IV, saves decrypted payload as winlogon.exe, and retrieves/loads modules via RunPE for execution.
  • C2 communications use SOAP over HTTP/WCF, with a hard-coded C2 server and Release ID; data is sent in XML via SOAP.
  • It catalogs extensive host information (antivirus, languages, programs, processes, hardware, etc.) and can exfiltrate documents, wallet data, and more depending on server instructions.
  • Wallet research targets numerous wallets (Armory, Atomic, Exodus, Jaxx Liberty, Guarda, etc.), searches for wallet files, and exfiltrates related data like wallet.dat, keys, and config files.

MITRE Techniques

  • [T1033] Account Discovery – The malware uses environment data and usernames to build a machine identity (e.g., “The machine name which is in fact the username associated with the process”).
  • [T1082] System Information Discovery – It collects antivirus products, installed programs, running processes, OS version, processor, and graphics device information.
  • [T1083] File and Directory Discovery – It searches for Windows, Program Files, and ProgramData directories to locate targeted files.
  • [T1057] Process Discovery – It enumerates running processes and their command lines.
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – It can execute commands via CMD (e.g., “command that is executed by the CMD.exe process”).
  • [T1012] Query Registry – It reads registry data (e.g., OpenSubKey of SOFTWAREMicrosoftWindowsCurrentVersionUninstall and shellopencommand paths) to extract software info.
  • [T1027] Obfuscated/Compressed Files and Information – The stealer is deobfuscated with de4dot and strings are obfuscated; payload is decrypted with AES and a hard-coded key/IV.
  • [T1041] Exfiltration Over C2 Channel – It exfiltrates collected data via SOAP/XML to the C2 server.
  • [T1071.001] Web Protocols – C2 communications occur over HTTP using SOAP/XML, with a BasicHttpBinding for transport.
  • [T1047] Windows Management Instrumentation – It uses WMI queries to obtain host information like processor, memory, and OS details.
  • [T1055] Process Injection – The RunPE mechanism is used to spawn the stealer within another process.
  • [T1112] System Information Discovery (duplicate for emphasis) – Reiterates collection of hardware/software details reported to C2.

Indicators of Compromise

  • [SHA256] E3544F1A9707EC1CE083AFE0AE64F2EDE38A7D53FC6F98AAB917CA049BC63E69 – Hash of the initial executable/dropper.
  • [Directory] %LocalApplicationData%YandexYaAddon – Directory created by the malware for persistence/storage.
  • [File] %AppData%winlogon.exe – Spawned process/file path for the decrypted payload.
  • [Domain] siyatermi.duckdns[.]org:17044 – Hard-coded C2 server address/port used for C2 communications.
  • [File] wallet.dat – Targeted wallet data indicated by wallet search (Ethereum/other wallets).
  • [File] wallet – Generic wallet-related file searches (e.g., wallet.dat or wallet) observed during exfiltration.

Read more: https://securityscorecard.com/research/detailed-analysis-redline-stealer