General

  • Target

    UpDateMs.exe

  • Size

    239KB

  • Sample

    221003-fyms6shda6

  • MD5

    daacc4b2ee305e1a7bedebad15a3ce39

  • SHA1

    af59e7f1bc20c297b0b8bbc886644f7a8d2dc413

  • SHA256

    8a60e80c171ee85d6849e22dcae7ca4cb75d76156f2595286cc31d8daed9cc1f

  • SHA512

    0448ba3566786c26845e649a9299e09c164ee958b825e73c8dcedd75e2f3c25512b9b4d45ed1f828e60e504d72760020b4a92389cf8275d4af48cfc1b1cdd30e

  • SSDEEP

    3072:hfTc4AW5W96tyD07mlfTtzF6AMrLkf+o+cVA7Mn0YZBCNo1wAfLp97vI0HbqLBEB:hw497407mlfTtRpeLYAcwgoo1wAf

Malware Config

Extracted

Family

redline

Botnet

KAY

C2

4.tcp.eu.ngrok.io:10490

Targets

    • Target

      UpDateMs.exe

    • Size

      239KB

    • MD5

      daacc4b2ee305e1a7bedebad15a3ce39

    • SHA1

      af59e7f1bc20c297b0b8bbc886644f7a8d2dc413

    • SHA256

      8a60e80c171ee85d6849e22dcae7ca4cb75d76156f2595286cc31d8daed9cc1f

    • SHA512

      0448ba3566786c26845e649a9299e09c164ee958b825e73c8dcedd75e2f3c25512b9b4d45ed1f828e60e504d72760020b4a92389cf8275d4af48cfc1b1cdd30e

    • SSDEEP

      3072:hfTc4AW5W96tyD07mlfTtzF6AMrLkf+o+cVA7Mn0YZBCNo1wAfLp97vI0HbqLBEB:hw497407mlfTtRpeLYAcwgoo1wAf

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks