gafgyt | d773c7ca94b97abc9660727ceefcdb8d98f122fe6dd08aca911fd85fe153d25f | Triage

Submit
Reports

Overview

overview

Static

static

LDPlayer9....ld.exe

windows7-x64

LDPlayer9....ld.exe

windows10-2004-x64

7

Sharing

General

Target

LDPlayer9.0_es_1260_ld.exe
Size

601.8MB
Sample

230124-wbtafaee3x
MD5

83a052a5a9de3c30cb8aaaa81685bea7
SHA1

07daf5f6f24c624228bf7da6e2e1c93241fe030e
SHA256

d773c7ca94b97abc9660727ceefcdb8d98f122fe6dd08aca911fd85fe153d25f
SHA512

65dc36e77e50b27a9fbfd23623696c8d60ec4b08aef61d19801ff390e676fc40cef4f45c8dd1a744c746e02c4d88052db674d48d8ef8449a263e08f10a1e1545
SSDEEP

12582912:K0NMKTyRY5yMou7KBC8CckWqYkqiQh90CLmjT:joRYgu7KB9DpkchCg6T

Score

10^/10

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

LDPlayer9.0_es_1260_ld.exe

Resource

win7-20221111-en

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

windows7-x64

29 signatures

150 seconds

Behavioral task

behavioral2

Sample

LDPlayer9.0_es_1260_ld.exe

Resource

win10v2004-20220901-en

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Targets

- Target
  
  LDPlayer9.0_es_1260_ld.exe
- Size
  
  601.8MB
- MD5
  
  83a052a5a9de3c30cb8aaaa81685bea7
- SHA1
  
  07daf5f6f24c624228bf7da6e2e1c93241fe030e
- SHA256
  
  d773c7ca94b97abc9660727ceefcdb8d98f122fe6dd08aca911fd85fe153d25f
- SHA512
  
  65dc36e77e50b27a9fbfd23623696c8d60ec4b08aef61d19801ff390e676fc40cef4f45c8dd1a744c746e02c4d88052db674d48d8ef8449a263e08f10a1e1545
- SSDEEP
  
  12582912:K0NMKTyRY5yMou7KBC8CckWqYkqiQh90CLmjT:joRYgu7KB9DpkchCg6T
Score

10^/10

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan
- Detected Gafgyt variant
- Detects PlugX payload
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Creates new service(s)
  persistence
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Registers COM server for autorun
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

File and Directory Permissions Modification

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gafgytplugxredlinebotnetdiscoveryexploitinfostealerpersistencetrojan

behavioral2

© 2018-2024

Terms | Privacy