gafgyt | 8cdd13b91d01a6bf4fcb2465cd14e8427c4e38232726ee3481601d2c645d75e7 | Triage

Submit
Reports

Overview

overview

Static

static

1

LDPlayer9....ld.exe

windows7-x64

LDPlayer9....ld.exe

windows10-2004-x64

Sharing

General

Target

LDPlayer9.0_es_1260_ld.exe
Size

601.3MB
Sample

230228-f1bhxshe4w
MD5

1eeabc6eec8b0bb07b62a00d8bd7d62e
SHA1

6a07c523c4528a64868945e882faba516a0f772c
SHA256

8cdd13b91d01a6bf4fcb2465cd14e8427c4e38232726ee3481601d2c645d75e7
SHA512

29594e66cd8c631a0128c4d9a84c4e523ee7bc66fbeb3dbcabfe6ddef2d5c6cd400ddf2bc36ba1a4c05625d52768a1082af96bcfffe4eecca09d54dc7ec439aa
SSDEEP

12582912:kMYOUb/fhhqe2hPmWVsLJV6FObSZBshtzycWRTtc2RNctGwZeP:1G/fhEe2BGpSs32ztRNctDUP

Score

10^/10

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

LDPlayer9.0_es_1260_ld.exe

Resource

win7-20230220-en

redline discovery exploit infostealer persistence

windows7-x64

23 signatures

300 seconds

Behavioral task

behavioral2

Sample

LDPlayer9.0_es_1260_ld.exe

Resource

win10v2004-20230220-en

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

windows10-2004-x64

28 signatures

300 seconds

Malware Config

Targets

- Target
  
  LDPlayer9.0_es_1260_ld.exe
- Size
  
  601.3MB
- MD5
  
  1eeabc6eec8b0bb07b62a00d8bd7d62e
- SHA1
  
  6a07c523c4528a64868945e882faba516a0f772c
- SHA256
  
  8cdd13b91d01a6bf4fcb2465cd14e8427c4e38232726ee3481601d2c645d75e7
- SHA512
  
  29594e66cd8c631a0128c4d9a84c4e523ee7bc66fbeb3dbcabfe6ddef2d5c6cd400ddf2bc36ba1a4c05625d52768a1082af96bcfffe4eecca09d54dc7ec439aa
- SSDEEP
  
  12582912:kMYOUb/fhhqe2hPmWVsLJV6FObSZBshtzycWRTtc2RNctGwZeP:1G/fhEe2BGpSs32ztRNctDUP
Score

10^/10

redline discovery exploit infostealer persistence gafgyt plugx botnet trojan
- Detected Gafgyt variant
- Detects PlugX payload
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Creates new service(s)
  persistence
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinediscoveryexploitinfostealerpersistence

behavioral2

gafgytplugxredlinebotnetdiscoveryexploitinfostealerpersistencetrojan

© 2018-2024

Terms | Privacy