Overview

overview

10

Static

static

1

Git2.zip

windows7-x64

7

Git2.zip

windows10-2004-x64

10

Git2/GUI_M...TA.exe

windows7-x64

8

Git2/GUI_M...TA.exe

windows10-2004-x64

1

Git2/clifd...er.exe

windows7-x64

5

Git2/clifd...er.exe

windows10-2004-x64

10

Git2/sdfsdfs.exe

windows7-x64

5

Git2/sdfsdfs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Git2.zip

  • Size

    7.3MB

  • Sample

    230319-rkfy9aag4y

  • MD5

    35c1fb32c93adc5498e2e29bf7af4680

  • SHA1

    a195535fa854f186a0fe1d74de24c26f110a5d44

  • SHA256

    2194f49d4b349e23456b323abfc7167bf5927453590abd43cbdaca1dda9bcd68

  • SHA512

    01c5a153e146272cad71207cb871e9de19d36f630329b9b5546f98257ea054d89b9b6e0a3669a86a5b4f67c8508061f010f0841d980f141423374b031f88c67f

  • SSDEEP

    98304:h6Y2jb5ZT5CH0uzEDaLaBD0iH5n37cfrOHOFxFE2hhAOSBXcPZWPvb:B2xZ1e32N0iHFiTFEQA7DPT

Score
10/10
laplasxmrigbootkitclipperdiscoveryminerpersistencespywarestealer

Malware Config

Extracted

Family

laplas

C2

http://185.174.137.94

Attributes
  • api_key

    b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421

Targets

    • Target

      Git2.zip

    • Size

      7.3MB

    • MD5

      35c1fb32c93adc5498e2e29bf7af4680

    • SHA1

      a195535fa854f186a0fe1d74de24c26f110a5d44

    • SHA256

      2194f49d4b349e23456b323abfc7167bf5927453590abd43cbdaca1dda9bcd68

    • SHA512

      01c5a153e146272cad71207cb871e9de19d36f630329b9b5546f98257ea054d89b9b6e0a3669a86a5b4f67c8508061f010f0841d980f141423374b031f88c67f

    • SSDEEP

      98304:h6Y2jb5ZT5CH0uzEDaLaBD0iH5n37cfrOHOFxFE2hhAOSBXcPZWPvb:B2xZ1e32N0iHFiTFEQA7DPT

    Score
    10/10
    laplasxmrigbootkitclipperdiscoveryminerpersistencespywarestealer

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Git2/GUI_MODERNISTA.exe

    • Size

      53KB

    • MD5

      6986f1d3d40626f825b3ebf0415fc54c

    • SHA1

      4e498030af12be1c971aa8b06178c24266d39197

    • SHA256

      7e84d74990b3b4a9807b3072a2637c0c7035b2e9bc4f6e603b9f1766172fbf3e

    • SHA512

      02d095629b9fcd4d7e9b0e156adfd1da41e398848f7c37eb364dfac1636baa6933d95ffebe6083cd4eaafab09d341233ae4e83b47cfeb4e2dc73a30da85c822b

    • SSDEEP

      768:ero4Jbpck6DKrC58V5GmKOb02HI2thwykpTz1:qbRpckGSPGib7dLRQ1

    Score
    8/10

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3behavioral4

    • Target

      Git2/clifdthjsjkdgaoker.exe

    • Size

      7.5MB

    • MD5

      fb0deff37fe12bbc4f0c1fe21e2d15ef

    • SHA1

      180325b8b6e64638e167601c67cd9c53331ba9f6

    • SHA256

      ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

    • SHA512

      9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

    • SSDEEP

      196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy

    Score
    10/10
    laplasclipperpersistencestealer

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      Git2/sdfsdfs.exe

    • Size

      214KB

    • MD5

      8882daf740d94819afcce024bce34a37

    • SHA1

      4bdb80e664638201f393a49e5577886683d54662

    • SHA256

      a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d

    • SHA512

      6ba0c7863713c4334ce511ee7ea7460ea6dacdb243008fae1556a3db7740e6ae53f30e03309f3cc3bf0394328f470a880bf8ed31ee7552ef47dd3823a6ef4c97

    • SSDEEP

      6144:O6nLK128LbhLJuLZePizkHQ3EqdYmkRMUx:DLK12gJuLZ0iIHqfG

    Score
    10/10
    xmrigminer

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Enterprise v6

Tasks