top of page

Technical Analysis of the RedLine Stealer

RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, priced according to users’ needs. The loader replaces the content of the Regsvcs.exe process, which is spawned in the suspended state. Following that, RedLine PE gets mapped in the Regsvcs process and thread contexts are manipulated to point to the entry point of the stealer, thus allowing the malware to masquerade as a legitimate process on the system.



ATT&CK IDS: T1113 - Screen Capture, T1059 - Command and Scripting Interpreter, T1140 - Deobfuscate/Decode Files or Information, T1036 - Masquerading, T1055 - Process Injection, T1105 - Ingress Tool Transfer, T1083 - File and Directory Discovery, T1047 - Windows Management Instrumentation, T1016 - System Network Configuration Discovery, T1102 - Web Service, T1055.012 - Process Hollowing

Read More:

1 view


Комментарии отключены.
bottom of page