The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

RedLine Stealer Delivered Via Fake Windows 11 Update

Mar 14, 2022 10:27:00 AM / by PolySwarm Tech Team

Redline_Blog

Background

Last month HP published research on RedLine Stealer, a stealer malware being delivered via fake Windows 11 updates. Almost a month later, RedLine Stealer continues to be active in the wild, with new samples surfacing over the past week.


What is RedLine Stealer?

RedLine Stealer is a stealer malware advertised on underground forums. It harvests various types of information including saved credentials, autocomplete data, cryptocurrency, and credit card information. It also takes a system inventory of the victim’s machine, gathering information on the username, location data, hardware configuration, and installed security software. RedLine Stealer can also upload and download files, execute commands, and send information about the infected computer to the C2. RedLine Stealer uses the WCF (Windows Communication Foundation) framework for C2 communication.


According to researchers at S2W, RedLine Stealer was released in 2020 and was originally distributed via malicious links on a YouTube description, masquerading as a free download. RedLine is currently offered as malware-as-a-service (MaaS), with pricing ranging between $100 - $200 USD per month. It was last updated as recently as January 2022.

The threat actors operating RedLine Stealer leverage three Telegram channels for conducting business: an official chat, the official RedLine page, and a Buy RedLine bot. Additionally, stolen logs obtained via RedLine Stealer are sold on an underground forum.

IOCs

PolySwarm has multiple samples associated with RedLine Stealer. A selection of sample hashes is found below.


Hashes
4293d3f57543a41005be740db7c957d03af1a35c51515585773cedee03708e54

7d5ed583d7efe318fdb397efc51fd0ca7c05fc2e297977efc190a5820b3ee316

C7bcdc6aecd2f7922140af840ac9695b1d1a04124f1b3ab1450062169edd8e48

6b089a4f4fde031164f3467541e0183be91eee21478d1dfe4e95c4a0bb6a6578

cd3f0808ae7fc8aa5554192ed5b0894779bf88a9c56a7c317ddc6a4d7c249e0e

38a5b96fd07f03041f6eff913b85fc621fa314e1de87326accb00ee218c37756

020fbe48b4da34a90d3422f211aa0338681a7cb9e99292b2b9d738a354ed97de

C6d48514031cc6e83445b95f9ed4e975f2cdcebc2e9cc1914605058ff7af7764

9ac01cc861cfe9e340c66a5cd527ab8a7e3de345b851ebcf07a7ca08eeee2f88

You can use the following CLI command to search for all RedLine Stealer samples in our portal:

$ polyswarm link list -f RedlineStealer


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Malware, RedLine Stealer, Microsoft, Windows, Infostealer

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts