Analytics Story: RedLine Stealer
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..
Why it matters
RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Sysmon EventID 1 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 11 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 12 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 13 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Windows Event Log Security 4663 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4688 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log System 7040 | Windows | xmlwineventlog |
XmlWinEventLog:System |
References
- https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
- https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update
Source: GitHub | Version: 1