Redline Stealer Download !LINK!

Information stealer, or infostealer, is a form of Remote Access Trojan, malware that collects and forwards user information, like credentials saved in the browser, to the malicious actor. Attackers typically start with a social engineering attack method then infect the device using malicious attachments, websites, and ads.

Originally discovered in March 2020, attackers initially delivered the RedLine malware in an email campaign, spoofing a legitimate coronavirus-cure research company email address. The RedLine Stealer infostealer variant offers a customizable file-grabber, enabling attackers to collect credentials from web browsers, cryptocurrency wallets, and applications, including:

Redline Stealer Download

Download Zip 🔥 https://bltlly.com/2y7Nto 🔥

Want to learn more about the lifecycle of a stealer malware attack? Take a look at our report, Dissecting the Dark Web Stealer Malware Lifecycle with the MITRE ATT&CK Framework.

The emails in this password stealer campaign abused the Folding@home brand, which is a distributed computing project for disease research, while also asking the recipient to help find a coronavirus cure. This campaign primarily targeted healthcare and manufacturing industries in the United States.

The RedLine password stealer virus is new malware available for sale on Russian underground forums with several pricing options: $150 lite version; $200 pro version; $100 / month subscription option. It steals information from browsers such as login, autocomplete, passwords, and credit cards. It also collects information about the user and their system such as the username, their location, hardware configuration, and installed security software. A recent update to RedLine Stealer also added the ability to steal cryptocurrency cold wallets.

Proofpoint researchers have confirmed all functionality described in the forum advertisements. RedLine is a stealer that supports FTP (such as FileZilla, WinSCP), IM clients (such as Pidgin), crypto-currency wallets, and browser cookies/settings. It also reports back a range of information about the system and can perform additional tasks such as downloading and running payloads.

In Figure 9 you can see an example of the network traffic generated by the stealer. Specifically, in this traffic the C&C configures the client settings (GrabBrowsers, GrabFTP, etc) via SOAP protocol (over HTTP).

RedLine Password Stealer virus, a new previously undocumented malware has appeared in a new email campaign aimed at U.S. healthcare and manufacturing organizations. It already has many of the standard information stealer features, as well as additional features such as downloading secondary payloads and advanced filtering features. The developer appears to be actively working on and updating the malware.

This specific password stealer campaign used COVID-19 and Folding@home lures to make downloading this application seem plausible. We are currently observing many other actors trying COVID-19 email lures for a variety of nefarious purposes such as attempting to deliver malware, phishing, business email compromise, and spam.

The list of wallets targeted by RedLine stealer includes Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx. Targeted VPN clients are ProtonVPN, OpenVPN, and NordVPN.

Update 3 November 2020 - It is known that cyber criminals now use fake Inno Setup installers for TeamViewer to distribute RedLine stealer. Those installers are designed to execute the "wmiprvse.exe" file, which loads the malicious "msi.dll" that contacts the malicious URL that hosts the RedLine password stealer malware.

Update 9 November 2021 - Now RedLine stealer poses as LastPass, a legitimate password manager. There is a fake LastPass download page used to distribute an ISO file containing a file that starts the infection chain leading to the injection of the RedLine stealer.

The latest RedLine stealer version now has additional capabilities. It collects more general information (like Zip code, time zone, city, installed hardware), scans the system for running processes, installed browsers, FTP connections, and other data. Also, it checks for Discord, VPN, Steam, Telegram, and other clients, crypto wallets.

Update 16 March 2022 - Threat actors are using YouTube to distribute RedLine stealer. They upload Valorant game videos with a website link in their description. That link supposedly downloads an auto-aiming bot. In reality, it downloads a malicious archive file containing a malicious executable file designed to infect computers with the RedLine stealer.

The first reports of RedLine Stealer go back to at least March of 2020 and it quickly became one of the more popular infostealers sold in underground digital markets. The Information harvested by RedLine Stealer is sold on the dark net marketplace for as low as 10 US dollars per set of user credentials. The malware emerged just as the world began to deal with increased numbers of COVID patients and the growing fear and uncertainty that can cause people to lower their guard, which may have prompted its developers to use COVID as its lure.

Normally, these are the victims whose systems have been infected with any of the above-mentioned stealers, due to which victim have unknowingly had their account passwords and full browser details recorded, and then sent to marketplace operators. Generally, in such cases, each user profile includes login credentials for accounts on online payment portals, e-banking services, file-sharing or social networking platforms. As such, it attempts to collect the following information from browsers installed on the compromised machine, including all Chromium-based browsers and all browsers based on Gecko (i.e. Mozilla):

Notable capabilities within the Kill-Chain that are shared by these variants include:

- Code obfuscation using XOR and RC4 algorithms and future timestamps to bypass security systems.

- The use of registry keys via modification to establish persistence.

- WMI to drive local system queries and fingerprinting.

- The ability to delete files the malware creates to help conceal cyberattacks.

The first three capabilities were present in previous reporting by security researchers. [4] New variants use a new code obfuscation tactic; using XOR and RC4 encryption for payloads. PowerShell modules present in previous campaigns are absent in these versions of Redline stealer. [3, 4]

Indicators of Compromise (IOCs) on ThreatFox are associated with a certain malware fas. A malware sample can be associated with only one malware family. The page below gives you an overview on indicators of compromise associated with win.redline_stealer.

Today, Insikt Group released a report on RedLine Stealer, an infostealer malware that has become a key source of identity data marketed and sold on online criminal forums since its initial release in early 2020. It is just one example of many infostealers that Insikt Group has profiled over the last year that threat actors are currently using to gain access to compromised identities in order to conduct fraudulent activities.

First spotted in March 2020, the RedLine Stealer is part of the infostealer family, a type of malware that once it infects a computer, its primary purpose is to collect as much user data as possible and then send it to the attackers, who typically put it up for sale online.

Initially developed by a programmer named REDGlade, the malware has been sold on several underground hacking forums since March 2020. After the stealer received positive reviews in a hacking forum thread, pirated versions of the RedLine Stealer were also released on hacking forums a few months later, in August this year, allowing it to spread to even more threat actors who didn't have to pay for it.

"Both Amigos Market and Russian Market were identified by Insikt Group (June 2021) posting identical listings regularly that contained the same timestamps, infostealer variants used, geographical locations of affected machines, and ISPs," Insikt Researchers said.

The Insikt team's findings come after a similar report from threat intelligence firm KELA from February 2020, which found that around 90% of stolen credentials sold on the Genesis Market came from infections with the AZORult infostealer.

The perfect example of what this disruption could achieve came in February 2020 when a Chrome update (that changed how credentials were stored inside the browser) stopped the flow of new stolen credentials on Genesis Market for months until the AZORult stealer was updated to handle the new format.

Since its discovery, attackers have used many different vectors to spread this stealer, including through fake installers and fake game hacking tools. Also, RedLine Stealer was found in compromised devices by the DEV-0537 hacking group (a.k.a. lapsus$).

After the initial region check, the stealer fetches the C2 configuration from IP obtained via the built-in configuration. Details regarding the communication will be covered in the Communication section of this report.

Various crypto wallets are targeted by the stealer. The configuration contains the name of the wallet and the environment variable to search from the user data directory for the corresponding application.

The core functionality of the RedLine stealer is implemented in two classes: FullInfoSender and PartsSender. These are not interdependent. The malware instantiates only one class based on the version check of the malware. The stealer retrieves the version ID stored in the built-in configuration and FullInfoSender is executed by malware versions above 1. There is no functional difference between the two classes and both follow exactly the same logic.

Various methods implement the stealer. The additional capability, outside of the scope of FullInfoSender/PartsSender, is the command/payload execution provided by TaskResolver class which will be covered in the following sections. 006ab0faaa