Redline Stealer

Malware updated a day ago (2024-11-20T18:07:02.683Z)
Download STIX
Preview STIX
The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it employs skillful evasion tactics to remain undetected while it pilfers data. The malware creation process involves an OnCreateLastBuild handler that uses the CreateBuild method from a custom VSBuilder class. Affiliates can create new RedLine Stealer samples via a Builder tab, which requires inputs such as a RedLine panel server address, a Build ID, an error message to display, and an image to serve as the icon for the created sample. In 2022, another infostealer known as META Stealer emerged, believed to be a clone of RedLine Stealer and most likely created by the same threat actors. Analysis of the source code and backend samples confirmed that both malwares share the same creator. The comparison between RedLine Stealer (left) and META Stealer (right) source codes further substantiated this claim. Despite not being ransomware, both RedLine and META stealers have caused significant disruption across various sectors due to their persistent and elusive nature. A common thread identified in many RedLine Stealer samples is the certificate with the thumbprint 28F9A8E7601F5338BF6E194151A718608C0124A8, issued to Hangil IT Co., Ltd. This certificate, believed to be stolen, has been used to sign numerous RedLine Stealer samples and other malicious files. Although the certificate itself could not be collected, there is reason to believe that it might also be the same one used to sign RedLine panels, given its extensive use in signing a large number of RedLine Stealer and other malware samples.
Description last updated: 2024-11-15T16:07:58.293Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Redline is a possible alias for Redline Stealer. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actor
12
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Windows
Payload
Loader
Telegram
Exploit
Infostealer
Malware Loader
Maas
Credentials
Malvertising
Trojan
Source
Youtube
Bot
Infostealer ...
Midjourney
Rmm
Macos
Rat
Github
Facebook
PowerShell
Fraud
Antivirus
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Batloader Malware is associated with Redline Stealer. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personalUnspecified
5
The Lumma Stealer Malware is associated with Redline Stealer. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was diUnspecified
3
The Scrubcrypt Malware is associated with Redline Stealer. ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disruptUnspecified
3
The Smokeloader Malware is associated with Redline Stealer. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its functUnspecified
3
The Lobshot Malware is associated with Redline Stealer. Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded inUnspecified
3
The Vidar Malware is associated with Redline Stealer. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malwUnspecified
3
The IcedID Malware is associated with Redline Stealer. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
2
The Raccoon Malware is associated with Redline Stealer. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $Unspecified
2
The Raccoon Stealer Malware is associated with Redline Stealer. Raccoon Stealer, a malware-as-a-service (MaaS) operation, emerged in 2019, designed by Russian-speaking developers to steal victims' sensitive data such as credit card information, email credentials, and cryptocurrency wallets. The malware was initially promoted exclusively on Russian-speaking hackiUnspecified
2
The Systembc Malware is associated with Redline Stealer. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage fUnspecified
2
The Amadey Malware is associated with Redline Stealer. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includUnspecified
2
The Hijackloader Malware is associated with Redline Stealer. HijackLoader is a new and rapidly growing malware in the cybercrime community, designed to exploit and damage computer systems. This malicious software infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once infiltrated, HijackLoader can steal personal Unspecified
2
The Darkgate Malware is associated with Redline Stealer. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
2
The Ducktail Malware is associated with Redline Stealer. "Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates sysUnspecified
2
Source Document References
Information about the Redline Stealer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
6 days ago
ESET
10 days ago
Flashpoint
20 days ago
DARKReading
23 days ago
Unit42
2 months ago
InfoSecurity-magazine
2 months ago
Unit42
a year ago
CERT-EU
2 years ago
Checkpoint
4 months ago
Unit42
4 months ago
ESET
5 months ago
Trend Micro
5 months ago
ESET
5 months ago
DARKReading
7 months ago
Recorded Future
7 months ago
ESET
8 months ago
CERT-EU
8 months ago
Securelist
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago