RedLine Stealer

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

4 syscalls cited

NtReadVirtualMemory
Reads bytes from the virtual address space of a target process into a caller-supplied buffer.
NtDeleteKey
Deletes a registry key when the handle is closed — used to wipe persistence and audit-key artefacts post-execution.
NtQueryValueKey
Reads a value from a registry key — the targeted credential and config harvest primitive.
NtReadFile
Reads bytes from a file, device, named pipe or mapped section into a user buffer — the kernel primitive behind ReadFile.