General
-
Target
Git2.zip
-
Size
7.3MB
-
Sample
230319-rkfy9aag4y
-
MD5
35c1fb32c93adc5498e2e29bf7af4680
-
SHA1
a195535fa854f186a0fe1d74de24c26f110a5d44
-
SHA256
2194f49d4b349e23456b323abfc7167bf5927453590abd43cbdaca1dda9bcd68
-
SHA512
01c5a153e146272cad71207cb871e9de19d36f630329b9b5546f98257ea054d89b9b6e0a3669a86a5b4f67c8508061f010f0841d980f141423374b031f88c67f
-
SSDEEP
98304:h6Y2jb5ZT5CH0uzEDaLaBD0iH5n37cfrOHOFxFE2hhAOSBXcPZWPvb:B2xZ1e32N0iHFiTFEQA7DPT
Malware Config
Extracted
laplas
http://185.174.137.94
-
api_key
b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421
Targets
-
-
Target
Git2.zip
-
Size
7.3MB
-
MD5
35c1fb32c93adc5498e2e29bf7af4680
-
SHA1
a195535fa854f186a0fe1d74de24c26f110a5d44
-
SHA256
2194f49d4b349e23456b323abfc7167bf5927453590abd43cbdaca1dda9bcd68
-
SHA512
01c5a153e146272cad71207cb871e9de19d36f630329b9b5546f98257ea054d89b9b6e0a3669a86a5b4f67c8508061f010f0841d980f141423374b031f88c67f
-
SSDEEP
98304:h6Y2jb5ZT5CH0uzEDaLaBD0iH5n37cfrOHOFxFE2hhAOSBXcPZWPvb:B2xZ1e32N0iHFiTFEQA7DPT
Score10/10-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
XMRig Miner payload
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Git2/GUI_MODERNISTA.exe
-
Size
53KB
-
MD5
6986f1d3d40626f825b3ebf0415fc54c
-
SHA1
4e498030af12be1c971aa8b06178c24266d39197
-
SHA256
7e84d74990b3b4a9807b3072a2637c0c7035b2e9bc4f6e603b9f1766172fbf3e
-
SHA512
02d095629b9fcd4d7e9b0e156adfd1da41e398848f7c37eb364dfac1636baa6933d95ffebe6083cd4eaafab09d341233ae4e83b47cfeb4e2dc73a30da85c822b
-
SSDEEP
768:ero4Jbpck6DKrC58V5GmKOb02HI2thwykpTz1:qbRpckGSPGib7dLRQ1
Score8/10-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Git2/clifdthjsjkdgaoker.exe
-
Size
7.5MB
-
MD5
fb0deff37fe12bbc4f0c1fe21e2d15ef
-
SHA1
180325b8b6e64638e167601c67cd9c53331ba9f6
-
SHA256
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
-
SHA512
9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d
-
SSDEEP
196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy
Score10/10-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Git2/sdfsdfs.exe
-
Size
214KB
-
MD5
8882daf740d94819afcce024bce34a37
-
SHA1
4bdb80e664638201f393a49e5577886683d54662
-
SHA256
a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d
-
SHA512
6ba0c7863713c4334ce511ee7ea7460ea6dacdb243008fae1556a3db7740e6ae53f30e03309f3cc3bf0394328f470a880bf8ed31ee7552ef47dd3823a6ef4c97
-
SSDEEP
6144:O6nLK128LbhLJuLZePizkHQ3EqdYmkRMUx:DLK12gJuLZ0iIHqfG
Score10/10-
XMRig Miner payload
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-