gafgyt | 688162640eba903f22724905ee4497168948601da9f27aac4de7de5c10c35af0 | Triage

Submit
Reports

Overview

overview

Static

static

1

LDPlayer9....ld.exe

windows7-x64

8

LDPlayer9....ld.exe

windows10-2004-x64

Sharing

General

Target

LDPlayer9.0_es_34155917_ld.exe
Size

601.2MB
Sample

230213-dae3baad34
MD5

c9d398b0b57f099e4405d878f8cae4ec
SHA1

0fcab4492c6a47d9846e905b573e6645bb062554
SHA256

688162640eba903f22724905ee4497168948601da9f27aac4de7de5c10c35af0
SHA512

d356918d2dd90c8aa63872ced1650c2ea7b245499307830555b41a8bcac1ad58650c97af0f19a8244a0f6d9d7c2c2a9aac2e9fb4c5e82b0cee32c722e34ce85c
SSDEEP

12582912:BxYOUb/fhhqe2hPmWVsLJV6FObSZBshtzycWRTtc2RNctGwZi+1:PG/fhEe2BGpSs32ztRNctDd

Score

10^/10

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

LDPlayer9.0_es_34155917_ld.exe

Resource

win7-20221111-en

discovery exploit persistence

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

LDPlayer9.0_es_34155917_ld.exe

Resource

win10v2004-20220812-en

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Targets

- Target
  
  LDPlayer9.0_es_34155917_ld.exe
- Size
  
  601.2MB
- MD5
  
  c9d398b0b57f099e4405d878f8cae4ec
- SHA1
  
  0fcab4492c6a47d9846e905b573e6645bb062554
- SHA256
  
  688162640eba903f22724905ee4497168948601da9f27aac4de7de5c10c35af0
- SHA512
  
  d356918d2dd90c8aa63872ced1650c2ea7b245499307830555b41a8bcac1ad58650c97af0f19a8244a0f6d9d7c2c2a9aac2e9fb4c5e82b0cee32c722e34ce85c
- SSDEEP
  
  12582912:BxYOUb/fhhqe2hPmWVsLJV6FObSZBshtzycWRTtc2RNctGwZi+1:PG/fhEe2BGpSs32ztRNctDd
Score

10^/10

discovery exploit persistence gafgyt plugx redline botnet infostealer trojan
- Detected Gafgyt variant
- Detects PlugX payload
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Creates new service(s)
  persistence
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexploitpersistence

behavioral2

gafgytplugxredlinebotnetdiscoveryexploitinfostealerpersistencetrojan

© 2018-2024

Terms | Privacy