Overview

overview

10

Static

static

1

ToriLauncher.exe

windows7-x64

8

ToriLauncher.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ToriLauncher.rar

  • Size

    4KB

  • Sample

    230419-tmvljabg83

  • MD5

    e6b05135a9e952b15358bc7aaeab0b8e

  • SHA1

    7eafab0a187d6b4d0f77bfffe095fb7fbb147b7a

  • SHA256

    127aa2f0bbd871bc946d3b9cdc909702b0884bedcf77fd893d3de56e9e980d1d

  • SHA512

    78ecf3353dac5c3871ea39465f98a5124073ab8b2b7051bc50fb61bf764eb90bae06435b532d0b91e36ff3081fac0eccb6634a7011b0e6799bc82105e992ff42

  • SSDEEP

    96:4VIKPWqLuE+qhT4TtebbN28fUlcFd3bGxvxwuqCWNae1ug:4VIKNT+q+TtojaW3qVx/O9ug

Score
10/10
auroradcratlaplasclipperevasioninfostealerratstealer

Malware Config

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e

Extracted

Family

aurora

C2

185.239.239.194:8081

Targets

    • Target

      ToriLauncher.exe

    • Size

      15KB

    • MD5

      8a25dfc69da1d9d86fd6b6aa54ce7fb9

    • SHA1

      e1448945d8218944eee8828a387faeeafcddcdd3

    • SHA256

      8a47dfd07adaaefcdb36c9ca7453c240dfe10c3dd4fa0e87f5c9769b7c48a5f1

    • SHA512

      63dbe47828d49f88a15c39499b73a699622a8a8ceeebe71c81aad95628d09c53353c6c4ff7431b688e569facd0582c40a6609b15aee150ff1e7b4082c97fae8a

    • SSDEEP

      384:n8rbishHxlUvJCB2NdCBhNokwVcqDkiCBYkMNt//ZNt/+4Nt/UVRD59KUC9u:nib5hxlUvJCB2NdCBhNokwVcqDkiCBYh

    Score
    10/10
    auroradcratlaplasclipperevasioninfostealerratstealer

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • Modifies security service

      evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks