{
	"id": "2316e1da-5efa-4bc4-b1b0-3d4069ffda98",
	"created_at": "2026-04-06T01:31:12.466299Z",
	"updated_at": "2026-04-10T03:21:10.231593Z",
	"deleted_at": null,
	"sha1_hash": "27ba2b5264617cfdce40bc95c217b77fbb9cd2be",
	"title": "Credential Stealer RedLine Reemerges",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1341870,
	"plain_text": "Credential Stealer RedLine Reemerges\r\nPublished: 2022-07-27 · Archived: 2026-04-06 00:07:52 UTC\r\nWe at K7 Labs noticed that there were several RedLine Stealers resurfacing. Hence, we decided to analyze one\r\nsuch sample from our incident queue.\r\nThe sample we studied for the sake of this blog was  an NSIS compiled binary with the NSIS script and the\r\nmalicious binary in its overlay.\r\nUpon execution it drops 2 executables in the ‘AppData\\Roaming’ folder.\r\n1. @deadma3ay_crypted.exe \r\n2. 1079929187.exe\r\nIt then runs “@deadma3ay_crypted.exe” in background and injects the malicious code into a suspended instance\r\nof the ClickOnce .Net utility named AppLaunch.exe and then proceeds to connect with the C2 server. The process\r\ntree showing AppLaunch.exe was started in suspended state as shown below.\r\nFigure 1: Process tree\r\nFigure 2: @deadma3ay_crypted.exe creates a process which is in suspended state\r\nFigure 3 :AppLaunch,exe created and is in suspended state\r\nHighlighted above is the call to the API CreateProcessW with the “dwCreationFlags” set to 0x00000004 meaning\r\nit would start the process with the attributes “CREATE_SUSPENDED” \r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 1 of 13\n\nThe binary “@deadma3ay_crypted.exe” was custom packed, we then went on to dump the file after unpacking\r\nto find where the injection was being done.\r\nFigure 4: Stealer dumped in memory\r\n“@deadma3ay_crypted.exe” uses process hollowing to inject the RedLine Stealer into the benign\r\nAppLaunch.exe process.\r\nFigure 5: Version info of the RedLine Stealer sample\r\nRedLine Stealer Analysis\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 2 of 13\n\nThis binary contains an encoded string which upon decoding gives an IP address.  To obtain the original IP the\r\nmalware does the following: Base64 -\u003e XOR key(Bahs) -\u003e Base64.  The decoding using XOR key, IP address are\r\nall  shown in Figure 6. The IP belongs to that of the C2 server.\r\nFigure 6: C2 server IP address decode\r\n.\r\nWithin the malware there is code present that terminates its process based on its geolocation and the code for the\r\nsame is available in Figure 7.\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 3 of 13\n\nFigure 7: Validating the geolocation\r\nThe IP mentioned earlier is decoded as below and the malware keeps running the below loop until the connection\r\nto the C2 server is established. In this binary we found just one IP, but the code in Figure 8 suggests that there can\r\nbe an array of IPs as well.\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 4 of 13\n\nFigure 8: Establishing connection to C2\r\nUsing this IP, a secure connection is established between the victim and the C2 server. Below is the code for the\r\nsame.\r\nFigure 9: Code to request connection to the C2 \r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 5 of 13\n\nThe malware contains a huge list of base64 encoded wallet addresses. Below are the code snippets that refer to the\r\nencoded data and the actual data after decoding. The malware would supposedly use these in a clip \u0026 switch\r\nscenario at the victim’s end.\r\nFigure 10: Encoded wallet addresses\r\nFigure 11: Decoded wallet address list\r\nThe malware also scrapes information from various browser data. Below are screen captures of code that steals\r\ninformation from Opera and Mozilla.\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 6 of 13\n\nFigure 12: Stealing browser information from Opera\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 7 of 13\n\nFigure 13: Getting Mozilla info\r\nIt then proceeds to collect users’ cookies and data from the browser’s locally saved data.\r\nThe malware also tries to steal information from Telegram’s saved data. The code for the same is shown in Figure\r\n14.\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 8 of 13\n\nFigure 14: Getting Telegram data\r\nIt also touches the Discord data as shown in Figure 15.\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 9 of 13\n\nFigure 15: Getting Discord info \r\nIt then gets the Discord token using the regex given below\r\n“ [A – Z a – z \\ d] {2  4} \\ . [ \\ w – ] { 6 } \\ . [ \\ w – ] { 2  7}”\r\nand  stores the value in a .txt file.\r\nFigure 16: Data stored in .txt file\r\nIn the text shown in Figure 16 if you remove/cut the substring “Replace” we get the string Tokens.txt, which is the\r\nfile name in which the malware stores the Discord data.\r\nFigure 17: Parsing FileZilla info xml\r\nThere was also code to extract information from FileZilla’s saved information in an xml file.\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 10 of 13\n\nFigure 18: Getting AV and VPN product username and password; products like NordVPN, and\r\nOpenVPN\r\nIt also searches for the firewall, AntiVirus, antispyware products’ info also about any installed VPN software’s\r\ninformation.\r\n  Figure 19: Getting info on security product \r\nOnce the stealer has gathered all the information required, it then proceeds to save those information across\r\nseveral randomly named variables. Shown in Figure 20 are the list of variables.\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 11 of 13\n\nFigure 20: Getting unique string\r\nOut of these the variable “kadsoji83” is used to hold the unique identifier value of the infected victim’s machine.\r\nThe malware gathers various system info(Figure 21) and converts it into an MD5 and assigns the resultant value\r\nto the earlier mentioned variable. \r\nFigure 21: Converting the info into MD5 \r\nWe at K7 Labs provide detection against the latest threats and also for this newer variant of RedLine Stealer. Users\r\nare advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date so as to\r\nsafeguard their devices.\r\nIndicators of Compromise (IOC)\r\nHash Name\r\nK7 Detection\r\nName\r\n3A00D25C7E4B9FA8C2BE12E4328C869F RobloxFruits.exe\r\nTrojan (\r\n005850dc1 )\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 12 of 13\n\nF3F316DB086068FBB16DF5B11827CF47 @deadma3ay_crypted.exe\r\nTrojan (\r\n005917021 )\r\n215935B2D09B884E4CFDDA7658671250 1079929187.exe\r\nTrojan (\r\n0058f06c1 )\r\nC2\r\n185.200.191[.]18:80\r\nSource: https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nhttps://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/"
	],
	"report_names": [
		"credential-stealer-redline-reemerges"
	],
	"threat_actors": [],
	"ts_created_at": 1775439072,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/27ba2b5264617cfdce40bc95c217b77fbb9cd2be.pdf",
		"text": "https://archive.orkl.eu/27ba2b5264617cfdce40bc95c217b77fbb9cd2be.txt",
		"img": "https://archive.orkl.eu/27ba2b5264617cfdce40bc95c217b77fbb9cd2be.jpg"
	}
}