{"description": "Enterprise techniques used by RedLine Stealer, ATT&CK software S1240 (v1.0)", "name": "RedLine Stealer (S1240)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has collected account information from the victim\u2019s machine.(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has utilized HTTP for C2 communications.(Citation: McAfee RedLine Stealer April 2024) [RedLine Stealer](https://attack.mitre.org/software/S1240) has also conducted C2 communications to hardcoded C2 servers over HTTPS.(Citation: ESET RedLine Stealer November 2024)(Citation: Splunk RedLine Stealer June 2023) [RedLine Stealer](https://attack.mitre.org/software/S1240) has  leveraged SOAP protocol for C2 communications.(Citation: Proofpoint RedLine Stealer March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) can collect information from browsers and browser extensions.(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has executed windows [cmd](https://attack.mitre.org/software/S0106) using `ErrorHandler.cmd` to create scheduled tasks.(Citation: McAfee RedLine Stealer April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.011", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) malware has leveraged Lua bytecode to perform malicious behavior.(Citation: McAfee RedLine Stealer April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has obtained credentials from VPN services, FTP clients and Instant Messenger (IM)/Chat clients.(Citation: Kroll RedLine Stealer August 2024)(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) was designed to steal sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data.(Citation: ESET RedLine Stealer November 2024) [RedLine Stealer](https://attack.mitre.org/software/S1240) can also gather credentials from several browsers.(Citation: Kroll RedLine Stealer August 2024)(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has used Base64 to encode command and control traffic.(Citation: McAfee RedLine Stealer April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has collected data stored locally including chat logs and files associated with chat services such as Steam, Discord, and Telegram.(Citation: ESET RedLine Stealer November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has decoded its payload prior to execution.(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) can disable security software and update services.(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has built in settings to not operate based on geolocation or country of the victim host.(Citation: ESET RedLine Stealer November 2024)(Citation: Proofpoint RedLine Stealer March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has sent victim data to its C2 server or RedLine panel server.(Citation: Proofpoint RedLine Stealer March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has collected data from cryptocurrency wallets and harvested credit cards details from browsers.(Citation: ESET RedLine Stealer November 2024)(Citation: Kroll RedLine Stealer August 2024)(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023)(Citation: Veriti RedLine Stealer MAAS April 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has the ability download additional payloads.(Citation: Kroll RedLine Stealer August 2024)(Citation: Veriti RedLine Stealer MAAS April 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) malware has masqueraded as legitimate software such as \"PDF Converter Software\" which has been distributed through poisoned search engine results often resembling legitimate software lures with the combination of typo squatted domains.(Citation: Kroll RedLine Stealer August 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has used obfuscation tools such as DNGuard and Boxed App to pack their code.(Citation: ESET RedLine Stealer November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has obfuscated scripts within text files used in execution.(Citation: McAfee RedLine Stealer April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has encrypted and encoded configuration data with Base64 and XOR functions.(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) can query the Windows Registry.(Citation: McAfee RedLine Stealer April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has achieved persistence via scheduled tasks.(Citation: McAfee RedLine Stealer April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) can capture screenshots on a compromised host.(Citation: McAfee RedLine Stealer April 2024)(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) can get a list of programs on the victim device.(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has identified installed antivirus software on the system.(Citation: Kroll RedLine Stealer August 2024)(Citation: Veriti RedLine Stealer MAAS April 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has stolen browser cookies and settings.(Citation: ESET RedLine Stealer November 2024)(Citation: Kroll RedLine Stealer August 2024)(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has used both valid certificates and self-signed digital certificates to appear legitimate.(Citation: ESET RedLine Stealer November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has been installed via MSI Installer.(Citation: McAfee RedLine Stealer April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) can collect information about the local system.(Citation: Kroll RedLine Stealer August 2024)(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023)(Citation: Veriti RedLine Stealer MAAS April 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has gathered detailed information about victims\u2019 systems, such as IP addresses, and geolocation.(Citation: ESET RedLine Stealer November 2024)(Citation: Kroll RedLine Stealer August 2024)(Citation: Proofpoint RedLine Stealer March 2020) [RedLine Stealer](https://attack.mitre.org/software/S1240) has also checked the IP from where it was being executed and leveraged an opensource geolocation IP-lookup service. (Citation: McAfee RedLine Stealer April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) can retrieve system default language and time zone.(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) can enumeate information about victims\u2019 systems including IP addresses.(Citation: Kroll RedLine Stealer August 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has obtained the username from the victim\u2019s machine.(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023)(Citation: Veriti RedLine Stealer MAAS April 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) malware has been executed through the download of malicious files.(Citation: ESET RedLine Stealer November 2024)(Citation: Kroll RedLine Stealer August 2024)(Citation: Veriti RedLine Stealer MAAS April 2023) [RedLine Stealer](https://attack.mitre.org/software/S1240) has also lured users to install malware with an Install Wizard interface.(Citation: McAfee RedLine Stealer April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has an anti-sandbox technique that requires the malware to consistently check with the C2 server, if the communication fails [RedLine Stealer](https://attack.mitre.org/software/S1240) will not continue execution.(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "comment": "[RedLine Stealer](https://attack.mitre.org/software/S1240) has leveraged legitimate file sharing web services to host malicious payloads.(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RedLine Stealer", "color": "#66b1ff"}]}