RedLine Stealer

Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Updates
• Last Updated: 2023-04-24
• Author: Teoderick Contreras, Splunk
• ID: 12e31e8b-671b-4d6e-b362-a682812a71eb

Narrative

RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.

Detections

Name	Technique	Type
Disable Windows Behavior Monitoring	Disable or Modify Tools, Impair Defenses	TTP
Disabling Defender Services	Disable or Modify Tools, Impair Defenses	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Non Chrome Process Accessing Chrome Default Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Suspicious Process File Path	Create or Modify System Process	TTP
Windows Credentials from Password Stores Chrome Extension Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows DisableAntiSpyware Registry	Disable or Modify Tools, Impair Defenses	TTP
Windows Event For Service Disabled	Disable or Modify Tools, Impair Defenses	Hunting
Windows Modify Registry Auto Minor Updates	Modify Registry	Hunting
Windows Modify Registry Auto Update Notif	Modify Registry	Anomaly
Windows Modify Registry Disable WinDefender Notifications	Modify Registry	TTP
Windows Modify Registry Do Not Connect To Win Update	Modify Registry	Anomaly
Windows Modify Registry No Auto Reboot With Logon User	Modify Registry	Anomaly
Windows Modify Registry No Auto Update	Modify Registry	Anomaly
Windows Modify Registry Tamper Protection	Modify Registry	TTP
Windows Modify Registry USeWuServer	Modify Registry	Hunting
Windows Modify Registry UpdateServiceUrlAlternate	Modify Registry	Anomaly
Windows Modify Registry WuServer	Modify Registry	Hunting
Windows Modify Registry wuStatusServer	Modify Registry	Hunting
Windows Query Registry Browser List Application	Query Registry	Anomaly
Windows Query Registry UnInstall Program List	Query Registry	Anomaly
Windows Service Stop Win Updates	Service Stop	Anomaly

Reference

• https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
• https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update

source | version: 1