Yara Search

Rule Details

Redline Stealer Masquerading As Chrome

Rule Information

Description: Redline Stealer masquerading as Chrome

The Rule

rule Redline_Stealer_Chrome {
    meta:
        description = "Redline Stealer masquerading as Chrome"
        author = "0xanalyst"
    
    strings:
        $c2_pattern = /http:\/\/(\d{1,3}\.){3}\d{1,3}:\d+\/(panel|gate|collector)/
        $redline_strings = "Chrome_141_Mutex" wide
        $config_pattern = { 63 61 6D 70 61 69 67 6E 5F 69 64 } // "campaign_id"
    
    condition:
        any of them
}

Additional Details

Author: 0xanalyst

Tags: Redline