RedLine Stealer/AutoIT Malware Analysis

RedLine Stealer/AutoIT Malware Analysis

- 6 mins

After a recent analysis of multiple files grabbed from a device, this appears to be a new strain of the AutoIT Malware campaign that includes RedLine Stealer.
This malware uses AutoIT as a wrapper to deliver malware and attempts to hide its tracks with obfuscation, anti-analysis, and fileless techniques.

The user was attempting to install Grammarly and downloaded an .iso file from a malicious website. The file was then mounted to the D:\ drive and the executable was run shortly after.

The malware was able to evade detection by dropping multiple obfuscated and encrypted temporary scripts that were then run by an AutoIT executable.
The RedLine Stealer part of the malware can attempt to grab browser data, files from desktop, Crypto wallets, FTP clients, user info, screenshots, and more. It also attempted to achieve persistence by adding local admin accounts and installing RDPWrapper and adding firewall rules to allow incoming traffic on port 3389.  

I was unable to analyze what exactly was sent in the packets to the C2 server, but event logs show that it was likely saved browser data/passwords and device information.  

Sources used in this write-up:


User downloaded “grammarly79784.iso

GRAMMARLY79784.EXE” was executed from D:\

Executable Prefetch file shows that five files were created in folder C:\Users\User\AppData\Local\Temp\IXP000.TMP\


Confusa.exe.pif is executed from folder \Local\Temp\IXP000.TMP

Confusa.exe.pif activities

ezcvajcfbrmcw.vbs (Also ran as an identical batch file)

batch code


vbs command line

This appears to communicate with the C2 server, initially sending the unique bot ID.




365 Defender KQL Queries


| where RemoteUrl contains "tw0chinz" or RemoteUrl contains "nice-quiz" 
or RemoteUrl contains "ifunteck" or RemoteUrl contains "Hyphnhostn" 
or RemoteUrl contains "trk.record-certainly-numeral-draw" 
or RemoteUrl contains "schemicalc" or RemoteUrl contains "bishoppeda"


| where SHA256 has_any ("563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14",

.pif File IOC

| where FileName endswith ".exe.pif"

Common temp folder used

| where FileName endswith ".vsd"
| where FolderPath contains "\\AppData\\Local\\Temp\\IXP000.TMP\\"

Initial exploit IOC

| where ProcessCommandLine contains "findstr  /V /R"

Common folder used for scripts

| where FileName endswith ".vbs" or FileName endswith ".bat"
| where FolderPath contains "\\AppData\\Roaming\\"

jsc.exe being used to compile and execute PE files

| where InitiatingProcessParentFileName endswith ".pif"
| where InitiatingProcessFileName == "jsc.exe"

Initial download of RedLine malware

| where FileName endswith ".iso"
| where FolderPath contains "Recycle.Bin"

Localhost ping before further action is done

| where ProcessCommandLine contains "ping -n 5"
Noah Clements (genoff)

Noah Clements (genoff)

hacker of things

comments powered by Disqus