Trojan:Win32/Redline.FG!MTB

The malware extracts a resource that will be decrypted and saved in the %AppData% directory.

The decrypted payload is saved in a file called winlogon.exe. The RedLine stealer is spawned by the process.

The following modules reveal some hints about the stealer’s functionalities:

The stealer communicates with the command-and-control (C2) server using SOAP messages.

The process stores data such as installed input languages, programs (including antivirus), running processes, processor information, and the graphics device in a class called ScanDetails.

The malware can locate and exfiltrate documents, CSV files, text files, and other types specified by the C2 serve.

The malicious process could turn on or turn off some functionalities based on the SOAP response. For example, by specifying a false value in the ScanWallets field, the binary doesn’t scan the system for cryptocurrency wallets.

The malicious binary creates a channel factory that will be used during network communications by initializing a new instance of the ChannelFactory class.

The malware obtains information such as the public IP address of the machine, the country, and zip code by querying the following websites: https://api.ip[.]sb/geoip, https://api.ipify[.]org, or https://ipinfo[.]io/ip. The WebClient.DownloadData method is used to download the resource.

Types of information RedLine steals

Browser

• Targets Chromium-based browsers (for example, Chrome and Opera) and Gecko-based browsers (for example, Mozilla Firefox).
• Extracts original_url, username_value, and password_value values from the logins table found in the “Login Data” database. These values are used in account.URL, account.Username and account.Password, respectively.
• Extracts host_key, path, is_secure, expires_utc, name, and encrypted_value values from the Cookies file.
• Extracts card_number_encrypted, name_on_card, expiration_month, and expiration_year values from the credit_cards table found in the “Web Data” database.

Cryptocurrency wallets

• Targets the following wallets, which are browser extensions:
• AtomicWallet
• BinanceChain
• BitAppWallet
• BraveWallet
• Coinbase
• EqualWallet
• GuardaWallet
• GuildWallet
• iWallet
• JaxxxLiberty
• MathWallet
• Metamask
• MewCx
• NiftyWallet
• RoninWallet
• SaturnWallet
• Tronlink
• Wombat
• YoroiWallet
• Extracts the Discord tokens and chat logs from the .log and .ldb files.
• Extracts the Steam client path from the SteamPath registry value.
• Looks for the folder that contains the Telegram application. The session data including images and conversations is stored in the tdata directory.

• Searches the filesystem for the %USERPROFILE%\AppData\Local\NameOfVPN directory and the VPN configuration file.
• Obtains a list of antivirus or antispyware products and third-party firewalls.
• Uses OpenSubKey to open the SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall registry key, which contains the installed programs for program name and version extraction purposes.

Remote task actions

• The following actions are implemented by the stealer:

Sample used in this analysis

This trojan has multiple variants that exhibit different behaviors. This analysis is based on the following sample:

• E3544F1A9707EC1CE083AFE0AE64F2EDE38A7D53FC6F98AAB917CA049BC63E69 (SHA-256)