Overview

overview

10

Static

static

1

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GTA5 Mod Menu.rar

  • Size

    6.3MB

  • Sample

    230404-qwbcgafc58

  • MD5

    ec401275bb67cd6afc4c2a9ac769a432

  • SHA1

    363191aaf7e062dcd3a6879c70546affa286eeff

  • SHA256

    828ad6fd2f0a2fdf7ee1826628156cf90e8fbc312847f47c3ea5c508977a3591

  • SHA512

    12cb728ddeb43b43401bd4a523a4863696800fe991299fde5b07cdc10adf424ef754967c11550300bbbc48256b3ceb06f40fc039bbcb97cbd4bc202a931ab657

  • SSDEEP

    98304:7n3wLdHdhd/ZrNPT1wF43yyBukFTglMof5wDzArpN7PZ6CESZmlUbzy+ZE0G52Gx:7ALFdR9BuKlu5wDzAViSEl+zyyI5234

Score
10/10
laplasvidarxmrig49bd1304650cc9c7f3f131428d9e16c2bootkitclipperdiscoveryevasionminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

3.3

Botnet

49bd1304650cc9c7f3f131428d9e16c2

C2

https://steamcommunity.com/profiles/76561199492257783

https://t.me/justsometg
Attributes
  • profile_id_v2

    49bd1304650cc9c7f3f131428d9e16c2

  • user_agent

    Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Targets

    • Target

      Setup.exe

    • Size

      1023.0MB

    • MD5

      ef8d846aec55eddbbfa2472f9d66c2e7

    • SHA1

      7e75e159b0a62a62d8d775b6dcd4682b59122c28

    • SHA256

      d9a7ab42bcc0d232c84718ef977a0addc3bd7efd184970e88c6f5b85f03c27b1

    • SHA512

      791f226bcda1ab1ec0cbaba03ea00ee56325bffbc3b0ee8dd6010d86cc4190c4e8054422e9a1fd9955b42366cb06ebedd0c49ad8b3ed13d17398d23b63fa0314

    • SSDEEP

      196608:4+hMmu0Vro/dFqg4cF3VjgY7lEGpDltGgC891SWAo0G:41m3OMEljl7lPftGgPuDr

    Score
    10/10
    vidar49bd1304650cc9c7f3f131428d9e16c2bootkitevasionpersistencespywarestealertrojanlaplasxmrigclipperdiscoveryminer

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks