VERY IMPORTANT

RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, priced according to users’ needs. The loader replaces the content of the Regsvcs.exe process, which is spawned in the suspended state. Following that, RedLine PE gets mapped in the Regsvcs process and thread contexts are manipulated to point to the entry point of the stealer, thus allowing the malware to masquerade as a legitimate process on the system.