Skip to content

Hide Navigation Hide TOC

RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916)

RedLine Stealer is an information-stealer malware variant first identified in 2020.(Citation: ESET RedLine Stealer November 2024)(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023) RedLine Stealer is a Malware as a Service (MaaS) and was reportedly sold as either a one-time purchase or a monthly subscription service.(Citation: ESET RedLine Stealer November 2024)(Citation: Veriti RedLine Stealer MAAS April 2023) Information obtained from RedLine Stealer has been known to be sold on the deep and dark web to Initial Access Brokers (IABs), who use or resell the stolen credentials for further intrusions.(Citation: Kroll RedLine Stealer August 2024)(Citation: Veriti RedLine Stealer MAAS April 2023)

Cluster A Galaxy A Cluster B Galaxy B Level
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware 1
RedLine Stealer - S1240 (8c8e8b01-b4b1-479b-a7a9-78c40a12b916) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2