Overview

overview

10

Static

static

1

2O23-F1LES...23.exe

windows7-x64

10

2O23-F1LES...23.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2O23-F1LES-S0ft.rar

  • Size

    54.0MB

  • Sample

    230424-yc3avaeb53

  • MD5

    7b67a1514cb0faa10e12dfee452be8ba

  • SHA1

    ec18df8db905043566cd68937788063cf3f3aace

  • SHA256

    3c993a1595fdaa0de01731f6a1300c1ce385d311aef894ce5beae8a7e0853994

  • SHA512

    f9161094373e910c3111a5c38dabc5c928640440b6cb9955408411ca199ebe1cbd9e8b24a3946775f30791aa59b8291c136be8a54263c67f1b7f0901198f2015

  • SSDEEP

    786432:1jQoDiNyVMMOFfbyHvlpAEOnfQIihbzAszihlzW0rztvC/Cq8z7ULOMXRzf8yN:1jQoAwMLJ6l2U98suhwYztvCaq/KOzEq

Score
10/10
laplasraccoon9429a6d92284fd6d41daa221d04032beclipperdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

9429a6d92284fd6d41daa221d04032be

C2

http://212.113.119.153/

http://77.91.84.147/

http://212.113.119.35/

http://79.137.248.245/
xor.plain

Extracted

Family

laplas

C2

http://85.192.40.252

Attributes
  • api_key

    a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Targets

    • Target

      2O23-F1LES-S0ft/Launcher_S0FT-2O23.exe

    • Size

      730.9MB

    • MD5

      1cc87e637e55a2e6a88c745855423045

    • SHA1

      7e837f0a6854e6f0b68f417bb8f5f8dc2daeee23

    • SHA256

      6148a04932be8b508c730fae9b7a8b67d96bd5bd21801a047e34a8e819a55c62

    • SHA512

      c23bce8c05365d9e626f2b6d49e3d74608c55a31977eaa01981962f105abed5a3c30ebd18a3a0c5c8bdb29c9746227ce063a093964edf367262bfab27bfd2827

    • SSDEEP

      196608:UUJOFXQovEaJV73j5m9iepb+EDGVV3hCKboTEWMw6FO5+3Z4KW:UEfovJ13jk9Xp+VVRJbdwRiDW

    Score
    10/10
    raccoon9429a6d92284fd6d41daa221d04032bediscoveryspywarestealerlaplasclipperpersistence

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks