redline | f769860a072bb26c3b311405c9549264362927ed2062553568261cbe3ae601f5

Analysis

max time kernel
80s
max time network
61s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
05-02-2025 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Redline Stealer v30.32.rar
Size

35.9MB
MD5

83b7d7b372b0301530afa139e0ea789e
SHA1

2a70ea95310abe1cf460bbc9d24d1f559f9e5427
SHA256

f769860a072bb26c3b311405c9549264362927ed2062553568261cbe3ae601f5
SHA512

ed915cc76f34ff41067fb432b87f9d6f31237d665aeb8c24d38d429e97cdaca06657278425713a0ef14ad284cf649efe13e9fa1d9dfe208f44aea179ac37ca17
SSDEEP

786432:FGr+WC2v+ET23NUNjL/T+Z78LfNMpW3W++f1:4rv+EIUNjogNwW3W++f1

Score

10^/10

redline discovery infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab20-76.dat	family_redline
behavioral1/memory/2812-79-0x0000000000B60000-0x0000000000BB4000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2812	RedlineBuilder.exe
3356	Panel.exe
3080	Panel.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	RedlineBuilder.exe
2812	RedlineBuilder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedlineBuilder.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe
3080	Panel.exe
3356	Panel.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1788	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	1788	7zFM.exe
Token: 35	1788	7zFM.exe
Token: SeSecurityPrivilege	1788	7zFM.exe
Token: SeDebugPrivilege	3356	Panel.exe
Token: SeDebugPrivilege	3080	Panel.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1788	7zFM.exe
1788	7zFM.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 2812	4448	cmd.exe	83
PID 4448 wrote to memory of 2812	4448	cmd.exe	83
PID 4448 wrote to memory of 2812	4448	cmd.exe	83
PID 3356 wrote to memory of 3080	3356	Panel.exe	87
PID 3356 wrote to memory of 3080	3356	Panel.exe	87

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Redline Stealer v30.32.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Redline Stealer v30.32\builder\builder.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\Desktop\Redline Stealer v30.32\builder\RedlineBuilder.exe
  RedlineBuilder.exe -ip 1111 -id 11111 -by_parts -msg "error"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2812

C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\Panel.exe
"C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\Panel.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\Panel.exe
  "C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\Panel.exe" "--monitor"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\GuiLib.dll

Filesize
50KB

MD5
42d66964ee6b3aa7710f07803f2e9565

SHA1
1af7fdf8b45f0003810c3b0c13e982c5c865d557

SHA256
05e0e8394154edf4366d6af144934a7014a0ad06f571dfd1e132d7099c8118e9

SHA512
311cd9febd10db76e101a059410ddc4af35916ac88dda0719dd5e4f2473bcc8485161da576f9512f73716258e19f53b61515875ad0c590d1c8854ccfb525d8eb

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\IPLocator.dll

Filesize
34KB

MD5
c8b0ac355a4eccd2390775fd4f2f72bc

SHA1
a56a296cf3a9b82a02db244a4112954b2f79f59e

SHA256
0d1dc8a4030f457fd6323b3646f1ad8e062e2afb17845a6ffa29795dc618bb4d

SHA512
73e5dc0f863ce8f17bdc9166cdae0b35f115c1f4cc247be0c07d8dd2e8dba19c24827ce1989136247732cd28380b89eb843d736f67f93304bce7adf546558621

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\MetroSet UI.dll

Filesize
436KB

MD5
5aeea45913eb8475077a9547d7d3f2f3

SHA1
09931075a4fdffe7b051df6d3bc5b4a0bacdf019

SHA256
ef2a67849fbe0f1c99263bf0acfddf15a1b3668e49fd9d35868e147d8a4c8c73

SHA512
3f3ba1d117784aca8d6abfe84e9275da425fd23982aa1ce9af760a9e5d7cd5e9dc2e36a36cc6e190cb91e8b2c8888881cfd8feeb85c3249185d61273a1a1e0ff

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\Newtonsoft.Json.Schema.dll

Filesize
208KB

MD5
260a18bcc6d697d5c9f42299f2f34195

SHA1
de566fe1aa6d98310ddfa9d0773d1bdf47675c37

SHA256
b3cc57a64a89017c294927d93a24d10e5863287cdf32bd0f173386d3caebf5a8

SHA512
0451e2027ce21d1e7ed5267917b49c27f1e264ef58512d489da5d4359b62ceb7971ab2adec569a0626d9bcdeeae1f1f4744b5d0c8e1158a2af70c1e03d2cae29

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\Newtonsoft.Json.dll

Filesize
683KB

MD5
6815034209687816d8cf401877ec8133

SHA1
1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

SHA256
7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

SHA512
3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\Panel.exe

Filesize
12.1MB

MD5
85afedf22ca7d0561be4443e854459a7

SHA1
1fec08de68672a302f0df40ff30b22cee4d18057

SHA256
130a2379f8f07cec2cd9935bdf67bfcfbb977327f89f017dc16f19efc871d864

SHA512
e5229c4e67bc7d4ef8b53c94cfd017833797ecb52a93d71e9770ae50aaaa8e3e6c9b6433389f85255c2fe92bf94bdf1f6d1c49a01ac0809d7c8ccdb8c07dce03

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\Panel.exe.config

Filesize
26KB

MD5
14c52be5c2f2e05b34c971ab1c5a1f6e

SHA1
ca6af3aeef6b4f7d0b9d9199b985251d29aa65e2

SHA256
46de03cb4b125529c7aaf6024d3a287fb7c01bc5514664aae89d1a2f05af951a

SHA512
9266c85eb86115eef864e18bc46a5d2aae82e81ddbffc1589bad308ab1f7122d8a92bb5260e957a97350190bcaad27e93ad2bc1f7db1aaddc1c44a80dc728108

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\Pluralsight.Crypto.dll

Filesize
45KB

MD5
4ae6096005c37982c8b0c7b465d88da5

SHA1
93486afd78d1dba82722bee3ff7661e4740b9f05

SHA256
e3e598d322d72e6b717f6753d02d8f98a5436e884adbc0cc383e7a39a3c35b04

SHA512
86b52ab17120ec7c2941b7598c2b90ed8bce6f4c11a5c3e6e026c60f976ed58b042a8495c16f2a6a4dee8463da788a90ff6008069a133f566862afcc8ab65642

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\WindowsFirewallHelper.dll

Filesize
73KB

MD5
a37d8988990b3843182c51f1b9e5be4c

SHA1
d91b359403b3522cf718114174791b7b5c4de508

SHA256
2d8800d0ab20711af316fca20244cc06261a15021b2a78ac3ec6bd489f352594

SHA512
90776764006741cf54d1e29796de19f01845148bd1f9770ebc9205e02fd53987a0250f0c23409acd8bea573cfcbc48b6b7614e7726d484f1ab64682740f392a6

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\panelSettings.json

Filesize
5KB

MD5
346419d2a3f9f87e978adf74e99b61f7

SHA1
8dce4be68e65729c10c152fc9106117b49da8554

SHA256
f98125103ff50480a43581c4151f7b860595aaf4e91e781c4526916964ea3ced

SHA512
3dca4d30ac090f55d29157ebd1cb9885a2e2786eaa14c26f69a5f758ad82fa29d40e2ff7ba6c3999c251ba83225435ebbdccc8019bfceef54769e99dd25a4c1c

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\protobuf-net.dll

Filesize
274KB

MD5
d16fffeb71891071c1c5d9096ba03971

SHA1
24c2c7a0d6c9918f037393c2a17e28a49d340df1

SHA256
141b235af8ebf25d5841edee29e2dcf6297b8292a869b3966c282da960cbd14d

SHA512
27fb5b77fcadbe7bd1af51f7f40d333cd12de65de12e67aaea4e5f6c0ac2a62ee65bdafb1dbc4e3c0a0b9a667b056c4c7d984b4eb1bf4b60d088848b2818d87a

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\serviceSettings.json

Filesize
73B

MD5
f9d5b6cb3abf194a7d4174fb5114fc24

SHA1
b62700cf1b734926f14d9b05382270c4f868b181

SHA256
ae0f138e5860dc597e29566588fc9e64df46fc4407591bb549fbd642eab0f6c7

SHA512
96464a563b524ecb32154b4180772e3b6af5935684818b5f0b9f38f63c458f71498bce775c78db3bc7c279ee7dcf86d013f51f61cd8df4b23e426bd907f08c7d

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\stats.json

Filesize
174B

MD5
0f91aea181cd167baad6ef0f2f07176d

SHA1
924f29e47a17e4933a4d8db2627344657acbca20

SHA256
60f69cf6704a36cfdb8ca2b1304db90b8dc60ff1364ff225c9c97c928b4577cf

SHA512
025ecaaeb9972978792c86a5c5f0d4aa53dfcaf30ea867808cd398ed7ab1acf53e179393aeab0424bd23115fc267723d4fcb70107347fbb8ad3f1ff8e9c3d3dd

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\Panel\telegramChatsSettings.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\builder\RedlineBuilder.exe

Filesize
308KB

MD5
128cbb0f113189a8af347f14cb223357

SHA1
7472ff8bcf4b6ab90e30ec0352f0ecb44c655cf7

SHA256
a392dc6ad27dbc999aef5db8efaa63a65e570ca3bff7a79c5053ce7b7ba41a0e

SHA512
1bddf607e1e8ef32d39e16fcb9d9d87573f61ceee9a898c287ad236beaea818b223a28196395145a7b3eca5883e5da5b3a3dc0273fd66d64e103c24739868b35

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\builder\builder.bat

Filesize
581B

MD5
5bffd9e309e1d362608a5188a0f0cdba

SHA1
d87cca8b89fc5cc4e77453a8aa03a058c8b5e85b

SHA256
6fa6de2709d0e38c8b651747cd37f73262118c005ae89e37b80cce0eaad1ff88

SHA512
8e9b6e0d479b7ea7a1cebd41deb59a13beccf36552388c41ddaf341021a0d62c972846a665cb30948e84981828ec5622570a46bcdb48a8cb6ae0a9991acd5989

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.32\builder\dnlib.dll

Filesize
1.1MB

MD5
3d913aab7b1c514502c6a232e37d470e

SHA1
28ac2d1519ec5ea58b81fe40777645acc043b349

SHA256
bdb84aa16678189510def7c589851f6ea15e60ff977ea4c7c8c156504e6ac0ff

SHA512
311e8f73c52dd65cbaf9f6e008b3231090ea99edf3471bac63cca4156a37a0d874ac590b19c01b15e05345bb6a5b636a11698bbd4e88c59c138dd3f358800027

Download Submit
memory/2812-83-0x0000000005690000-0x00000000057B6000-memory.dmp

Filesize
1.1MB

Download
memory/2812-86-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/2812-79-0x0000000000B60000-0x0000000000BB4000-memory.dmp

Filesize
336KB

Download
memory/2812-87-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/2812-78-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/3080-100-0x000001A8BB2F0000-0x000001A8BB3A0000-memory.dmp

Filesize
704KB

Download
memory/3080-104-0x000001A8BC740000-0x000001A8BC7F8000-memory.dmp

Filesize
736KB

Download
memory/3080-106-0x000001A8BEF50000-0x000001A8BEF9A000-memory.dmp

Filesize
296KB

Download
memory/3080-102-0x000001A8BB240000-0x000001A8BB27A000-memory.dmp

Filesize
232KB

Download
memory/3080-108-0x000001A8BEF00000-0x000001A8BEF18000-memory.dmp

Filesize
96KB

Download
memory/3080-103-0x000001A8BB280000-0x000001A8BB2A2000-memory.dmp

Filesize
136KB

Download
memory/3080-98-0x000001A8A0DD0000-0x000001A8A0DE0000-memory.dmp

Filesize
64KB

Download
memory/3080-112-0x000001A8BC050000-0x000001A8BC060000-memory.dmp

Filesize
64KB

Download
memory/3080-94-0x000001A8BB1C0000-0x000001A8BB234000-memory.dmp

Filesize
464KB

Download
memory/3080-96-0x000001A8BB160000-0x000001A8BB172000-memory.dmp

Filesize
72KB

Download
memory/3080-120-0x000001A8BC010000-0x000001A8BC022000-memory.dmp

Filesize
72KB

Download
memory/3080-121-0x000001A8BC2B0000-0x000001A8BC2EC000-memory.dmp

Filesize
240KB

Download
memory/3356-91-0x000001FFCF690000-0x000001FFD02A4000-memory.dmp

Filesize
12.1MB

Download