gafgyt | 8a8bc0125f49bb03d4b10fff05e60f28f0dedc4761dda167cfe59b9affc9ccf4 | Triage

Submit
Reports

Overview

overview

Static

static

1

LDPlayer9....ld.exe

windows10-2004-x64

Resubmissions

06-04-2023 23:18

230406-3ab34ahe8x 7

17-03-2023 16:30

230317-tzsygabb41 10

Sharing

General

Target

LDPlayer9.0_es_1260_ld.exe
Size

603.1MB
Sample

230317-tzsygabb41
MD5

bb5ac3218b68aec33e16261196971d7f
SHA1

7df56150a22016e079c4b3e3a45446bffc2fcd9e
SHA256

8a8bc0125f49bb03d4b10fff05e60f28f0dedc4761dda167cfe59b9affc9ccf4
SHA512

d80614bd536a4e37749c4b05f4ce4a8821679e2f505c42b1a25012527098accd51fdd26f10c78ce512a2a683ea52df3ad6b702b6657dadcac3d7e1cb45b31d4d
SSDEEP

12582912:8vGfJhpkbnW52DiQGSeJPGhxfd7JLHAikG0U7HAN6:8vGfpXUMxiNHvn0U06

Score

10^/10

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

LDPlayer9.0_es_1260_ld.exe

Resource

win10v2004-20230220-en

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan

windows10-2004-x64

34 signatures

1800 seconds

Malware Config

Targets

- Target
  
  LDPlayer9.0_es_1260_ld.exe
- Size
  
  603.1MB
- MD5
  
  bb5ac3218b68aec33e16261196971d7f
- SHA1
  
  7df56150a22016e079c4b3e3a45446bffc2fcd9e
- SHA256
  
  8a8bc0125f49bb03d4b10fff05e60f28f0dedc4761dda167cfe59b9affc9ccf4
- SHA512
  
  d80614bd536a4e37749c4b05f4ce4a8821679e2f505c42b1a25012527098accd51fdd26f10c78ce512a2a683ea52df3ad6b702b6657dadcac3d7e1cb45b31d4d
- SSDEEP
  
  12582912:8vGfJhpkbnW52DiQGSeJPGhxfd7JLHAikG0U7HAN6:8vGfpXUMxiNHvn0U06
Score

10^/10

gafgyt plugx redline botnet discovery exploit infostealer persistence trojan
- Detected Gafgyt variant
- Detects PlugX payload
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Creates new service(s)
  persistence
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

File Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gafgytplugxredlinebotnetdiscoveryexploitinfostealerpersistencetrojan

© 2018-2024

Terms | Privacy