Credential Stealer RedLine Reemerges
Published: 2022-07-27 · Archived: 2026-04-06 00:07:52 UTC
We at K7 Labs noticed that there were several RedLine Stealers resurfacing. Hence, we decided to analyze one
such sample from our incident queue.
The sample we studied for the sake of this blog was  an NSIS compiled binary with the NSIS script and the
malicious binary in its overlay.
Upon execution it drops 2 executables in the ‘AppData\Roaming’ folder.
1. @deadma3ay_crypted.exe 
2. 1079929187.exe
It then runs “@deadma3ay_crypted.exe” in background and injects the malicious code into a suspended instance
of the ClickOnce .Net utility named AppLaunch.exe and then proceeds to connect with the C2 server. The process
tree showing AppLaunch.exe was started in suspended state as shown below.
Figure 1: Process tree
Figure 2: @deadma3ay_crypted.exe creates a process which is in suspended state
Figure 3 :AppLaunch,exe created and is in suspended state
Highlighted above is the call to the API CreateProcessW with the “dwCreationFlags” set to 0x00000004 meaning
it would start the process with the attributes “CREATE_SUSPENDED” 
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 1 of 13

The binary “@deadma3ay_crypted.exe” was custom packed, we then went on to dump the file after unpacking
to find where the injection was being done.
Figure 4: Stealer dumped in memory
“@deadma3ay_crypted.exe” uses process hollowing to inject the RedLine Stealer into the benign
AppLaunch.exe process.
Figure 5: Version info of the RedLine Stealer sample
RedLine Stealer Analysis
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 2 of 13

This binary contains an encoded string which upon decoding gives an IP address.  To obtain the original IP the
malware does the following: Base64 -> XOR key(Bahs) -> Base64.  The decoding using XOR key, IP address are
all  shown in Figure 6. The IP belongs to that of the C2 server.
Figure 6: C2 server IP address decode
.
Within the malware there is code present that terminates its process based on its geolocation and the code for the
same is available in Figure 7.
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 3 of 13

Figure 7: Validating the geolocation
The IP mentioned earlier is decoded as below and the malware keeps running the below loop until the connection
to the C2 server is established. In this binary we found just one IP, but the code in Figure 8 suggests that there can
be an array of IPs as well.
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 4 of 13

Figure 8: Establishing connection to C2
Using this IP, a secure connection is established between the victim and the C2 server. Below is the code for the
same.
Figure 9: Code to request connection to the C2 
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 5 of 13

The malware contains a huge list of base64 encoded wallet addresses. Below are the code snippets that refer to the
encoded data and the actual data after decoding. The malware would supposedly use these in a clip & switch
scenario at the victim’s end.
Figure 10: Encoded wallet addresses
Figure 11: Decoded wallet address list
The malware also scrapes information from various browser data. Below are screen captures of code that steals
information from Opera and Mozilla.
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 6 of 13

Figure 12: Stealing browser information from Opera
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 7 of 13

Figure 13: Getting Mozilla info
It then proceeds to collect users’ cookies and data from the browser’s locally saved data.
The malware also tries to steal information from Telegram’s saved data. The code for the same is shown in Figure
14.
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 8 of 13

Figure 14: Getting Telegram data
It also touches the Discord data as shown in Figure 15.
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 9 of 13

Figure 15: Getting Discord info 
It then gets the Discord token using the regex given below
“ [A – Z a – z \ d] {2  4} \ . [ \ w – ] { 6 } \ . [ \ w – ] { 2  7}”
and  stores the value in a .txt file.
Figure 16: Data stored in .txt file
In the text shown in Figure 16 if you remove/cut the substring “Replace” we get the string Tokens.txt, which is the
file name in which the malware stores the Discord data.
Figure 17: Parsing FileZilla info xml
There was also code to extract information from FileZilla’s saved information in an xml file.
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 10 of 13

Figure 18: Getting AV and VPN product username and password; products like NordVPN, and
OpenVPN
It also searches for the firewall, AntiVirus, antispyware products’ info also about any installed VPN software’s
information.
  Figure 19: Getting info on security product 
Once the stealer has gathered all the information required, it then proceeds to save those information across
several randomly named variables. Shown in Figure 20 are the list of variables.
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 11 of 13

Figure 20: Getting unique string
Out of these the variable “kadsoji83” is used to hold the unique identifier value of the infected victim’s machine.
The malware gathers various system info(Figure 21) and converts it into an MD5 and assigns the resultant value
to the earlier mentioned variable. 
Figure 21: Converting the info into MD5 
We at K7 Labs provide detection against the latest threats and also for this newer variant of RedLine Stealer. Users
are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date so as to
safeguard their devices.
Indicators of Compromise (IOC)
Hash Name
K7 Detection
Name
3A00D25C7E4B9FA8C2BE12E4328C869F RobloxFruits.exe
Trojan (
005850dc1 )
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 12 of 13

F3F316DB086068FBB16DF5B11827CF47 @deadma3ay_crypted.exe
Trojan (
005917021 )
215935B2D09B884E4CFDDA7658671250 1079929187.exe
Trojan (
0058f06c1 )
C2
185.200.191[.]18:80
Source: https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/
Page 13 of 13