gafgyt | 08fee35f2462f93c96751755ff42f2f63525ad04e21543efe52a159c800ab80a | Triage

Submit
Reports

Overview

overview

Static

static

1

LDPlayer9_...ld.exe

windows7-x64

LDPlayer9_...ld.exe

windows10-2004-x64

Sharing

General

Target

LDPlayer9_es_1009_ld.exe
Size

3.6MB
Sample

230228-zcl5ascf5t
MD5

90276982cc921f646f74f8310ef8cd6a
SHA1

37d5ff4e70485bbcc6e4ef6fa08d3b7839012d0f
SHA256

08fee35f2462f93c96751755ff42f2f63525ad04e21543efe52a159c800ab80a
SHA512

bdbdb26aaae5b84e7c8298e5e6033142f872e8f25578274c3a8c8fdc7d1e07033be62760b5230a67696bf9f4d885a7187d17680b271e713f1f1a111fa37edf2c
SSDEEP

49152:KpiUPlcfO74zHK+1ULjFvnxe2T9g4tGOPf28xuYT:KpPNcG74r1ULxvxew9g1op

Score

10^/10

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

LDPlayer9_es_1009_ld.exe

Resource

win7-20230220-en

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

windows7-x64

32 signatures

1800 seconds

Behavioral task

behavioral2

Sample

LDPlayer9_es_1009_ld.exe

Resource

win10v2004-20230220-en

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

windows10-2004-x64

34 signatures

1800 seconds

Malware Config

Targets

- Target
  
  LDPlayer9_es_1009_ld.exe
- Size
  
  3.6MB
- MD5
  
  90276982cc921f646f74f8310ef8cd6a
- SHA1
  
  37d5ff4e70485bbcc6e4ef6fa08d3b7839012d0f
- SHA256
  
  08fee35f2462f93c96751755ff42f2f63525ad04e21543efe52a159c800ab80a
- SHA512
  
  bdbdb26aaae5b84e7c8298e5e6033142f872e8f25578274c3a8c8fdc7d1e07033be62760b5230a67696bf9f4d885a7187d17680b271e713f1f1a111fa37edf2c
- SSDEEP
  
  49152:KpiUPlcfO74zHK+1ULjFvnxe2T9g4tGOPf28xuYT:KpPNcG74r1ULxvxew9g1op
Score

10^/10

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan
- Detected Gafgyt variant
- Detects PlugX payload
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

File and Directory Permissions Modification

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gafgytplugxredlinebotnetdiscoveryexploitinfostealerpersistencetrojan

behavioral2

gafgytplugxredlinebotnetdiscoveryexploitinfostealerpersistencetrojan

© 2018-2024

Terms | Privacy