Overview

overview

10

Static

static

Adobe_Phot...22.exe

windows7-x64

3

Adobe_Phot...22.exe

windows10-2004-x64

10

SoftwareSe...le.exe

windows7-x64

10

SoftwareSe...le.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Adobe_Photoshop_2022.zip

  • Size

    5.5MB

  • Sample

    221127-mptcxsag55

  • MD5

    1f2230dae93511860ce563368f513217

  • SHA1

    0c6b3f05e0715abfd25ce9adc0b1ab9a9e2c226d

  • SHA256

    7c6dca2422ed1b8de931eb1a25459b4f919832f897b227b14c08cd8c97673477

  • SHA512

    009ac6b6c8e896f1c89613f16b53bc0bb93f3ff3854b9925b6f5cb686f5b5125a0aa2c22979986d627ff828ecad273d6527757f06c40d647b31c371b5812a4ce

  • SSDEEP

    98304:1UgddVL86aMwO3XWAFeWPsCLgm1zVw6gAvHyvytNv487G:OgdpW4eIsSnVLTt5P6

Score
10/10
amadeylaplasredlinea16infostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

a16

C2

65.21.133.231:47430

Attributes
  • auth_value

    738df2444122bf4a0e61030640516709

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    b208717c54146010ab89e628591e2a7b11493ef1c593e7b3f15b1c06b1778d59

Extracted

Family

amadey

Version

3.50

C2

31.41.244.158/Mb1sDv3/index.php

Targets

    • Target

      Adobe_Photoshop_2022.exe

    • Size

      463.5MB

    • MD5

      1cb3d9c01980bd9ee45737e45090d17e

    • SHA1

      cd3b04697186f61ad23945386d4779573d08733d

    • SHA256

      a8b8ea3589632a74a59783f58a7d9fd145c3cd33feed31805b6ea81dcf9678dc

    • SHA512

      eb7729ac9916f99d7bad60982ebd945445b78dca05d53e249902aa8e8217f9b6955ceb22ea1c056a026ba08a49d5b32292d118739ec507c7df63a5674cdeec8e

    • SSDEEP

      12288:iYI9BtNtNkcU+zXlCfXztTWYPgXbIz2ZTfQ:C9B5U4mtTEXEz

    Score
    10/10
    laplasredlinea16infostealerspywarestealer

    • Laplas Clipper

      Laplas is a crypto wallet stealer with two variants written in Golang and C#.

      stealerlaplas

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      SoftwareSetupFile/SoftwareSetupFile.exe

    • Size

      555.0MB

    • MD5

      333b7deed15376b0a605c2ab033e7fda

    • SHA1

      8b38e9ee0711207d3281f0bc0e3ef1ff8c0b155c

    • SHA256

      142647df2b4e3dcf256dee7618b86a4d205bc7196147c3e6cb9b653bb00aa74f

    • SHA512

      02ede71f39dec29203ab563abc4b67f6119ec3de6287b2083ec15984f181e38ae00acd250b28f7218fd2d80b7fffd12793ae3c9ae724b5223593b87d91099787

    • SSDEEP

      98304:lp/262qMObXa0z2WLEO1gcdB9w2CAPHyVuTFz:lpFau2SE8h9nnTZ

    Score
    10/10
    amadeylaplaspersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Laplas Clipper

      Laplas is a crypto wallet stealer with two variants written in Golang and C#.

      stealerlaplas

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks