Analytics Story: RedLine Stealer
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..
Why it matters
RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4663 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Sysmon EventID 13 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Suricata | Other | suricata |
not_applicable |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Windows Event Log System 7040 | Windows |
XmlWinEventLog |
XmlWinEventLog:System |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
- https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update
- https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Source: GitHub | Version: 2