laplas | 9fbc398697579871e9ed351b5874acacb8b435178b32ff6506a03e5738b2e75f

Analysis

max time kernel
155s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e88c37f1bb15fcbe857ee8c4d526153f.exe
Size

1.9MB
MD5

e88c37f1bb15fcbe857ee8c4d526153f
SHA1

c52537d8b02f5c9c9ea40f78a7e2c9f8dc78225b
SHA256

9fbc398697579871e9ed351b5874acacb8b435178b32ff6506a03e5738b2e75f
SHA512

8065ee3b4fd2130549f016c5accb5f8347812b2b0cf6cc97bf712e6b34d30d3dd893dbcf250db60bd0d17550e36462dce4d3ae33858007af2e19e7ad71e44164
SSDEEP

49152:IBJ/2XAf/cdSy4ihSiudHKWw7YYlMDFUjcgbeR:ywXI0c5icLKJEYlIFicWe

Score

10^/10

laplas redline red clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

RED

79.137.202.0:81

Attributes

auth_value
49e32ec54afd3f75dadad05dbf2e524f

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4604-151-0x0000000005490000-0x0000000005AA8000-memory.dmp	redline_stealer
behavioral2/memory/4604-1663-0x00000000060A0000-0x0000000006106000-memory.dmp	redline_stealer
behavioral2/memory/4604-1713-0x0000000006C00000-0x0000000006DC2000-memory.dmp	redline_stealer

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	e88c37f1bb15fcbe857ee8c4d526153f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	e32Lke3.exe

Executes dropped EXE 4 IoCs

pid	Process
4464	cqb3grs.exe
1352	o02kvf1u.exe
1884	e32Lke3.exe
6968	svcservice.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	e32Lke3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 4604	4464	cqb3grs.exe	87
PID 1352 set thread context of 400	1352	o02kvf1u.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4252	4464	WerFault.exe	84
4692	1352	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4604	RegSvcs.exe
4604	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	RegSvcs.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4464	4768	e88c37f1bb15fcbe857ee8c4d526153f.exe	84
PID 4768 wrote to memory of 4464	4768	e88c37f1bb15fcbe857ee8c4d526153f.exe	84
PID 4768 wrote to memory of 4464	4768	e88c37f1bb15fcbe857ee8c4d526153f.exe	84
PID 4464 wrote to memory of 4604	4464	cqb3grs.exe	87
PID 4464 wrote to memory of 4604	4464	cqb3grs.exe	87
PID 4464 wrote to memory of 4604	4464	cqb3grs.exe	87
PID 4464 wrote to memory of 4604	4464	cqb3grs.exe	87
PID 4464 wrote to memory of 4604	4464	cqb3grs.exe	87
PID 4768 wrote to memory of 1352	4768	e88c37f1bb15fcbe857ee8c4d526153f.exe	91
PID 4768 wrote to memory of 1352	4768	e88c37f1bb15fcbe857ee8c4d526153f.exe	91
PID 4768 wrote to memory of 1352	4768	e88c37f1bb15fcbe857ee8c4d526153f.exe	91
PID 1352 wrote to memory of 4456	1352	o02kvf1u.exe	94
PID 1352 wrote to memory of 4456	1352	o02kvf1u.exe	94
PID 1352 wrote to memory of 4456	1352	o02kvf1u.exe	94
PID 1352 wrote to memory of 1820	1352	o02kvf1u.exe	95
PID 1352 wrote to memory of 1820	1352	o02kvf1u.exe	95
PID 1352 wrote to memory of 1820	1352	o02kvf1u.exe	95
PID 1352 wrote to memory of 400	1352	o02kvf1u.exe	96
PID 1352 wrote to memory of 400	1352	o02kvf1u.exe	96
PID 1352 wrote to memory of 400	1352	o02kvf1u.exe	96
PID 1352 wrote to memory of 400	1352	o02kvf1u.exe	96
PID 1352 wrote to memory of 400	1352	o02kvf1u.exe	96
PID 4768 wrote to memory of 1884	4768	e88c37f1bb15fcbe857ee8c4d526153f.exe	100
PID 4768 wrote to memory of 1884	4768	e88c37f1bb15fcbe857ee8c4d526153f.exe	100
PID 4768 wrote to memory of 1884	4768	e88c37f1bb15fcbe857ee8c4d526153f.exe	100
PID 1884 wrote to memory of 6968	1884	e32Lke3.exe	101
PID 1884 wrote to memory of 6968	1884	e32Lke3.exe	101
PID 1884 wrote to memory of 6968	1884	e32Lke3.exe	101

C:\Users\Admin\AppData\Local\Temp\e88c37f1bb15fcbe857ee8c4d526153f.exe
"C:\Users\Admin\AppData\Local\Temp\e88c37f1bb15fcbe857ee8c4d526153f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 156
    3⤵
    - Program crash
    PID:4252
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\o02kvf1u.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\o02kvf1u.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 148
    3⤵
    - Program crash
    PID:4692
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\e32Lke3.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\e32Lke3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:6968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1352 -ip 1352
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\e32Lke3.exe

Filesize
1.1MB

MD5
a76d136239408f63bf5b2af3d4dffc0e

SHA1
7434e0882f2825ba265f69db57e1117a4375636a

SHA256
c1d245ae8ca47c4e04608217d82fc94c1c77d10a81ab057f8c605dbfc24b8ccf

SHA512
189c0e9ca5975ceaf36806020622ae3a77875039cf68c0c3aa2aa2f6e3fd8da1be559bfa1c6fb30538809d6220a00ffa000f9d17aa5f9d5f79199c1f90998dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\e32Lke3.exe

Filesize
1.1MB

MD5
a76d136239408f63bf5b2af3d4dffc0e

SHA1
7434e0882f2825ba265f69db57e1117a4375636a

SHA256
c1d245ae8ca47c4e04608217d82fc94c1c77d10a81ab057f8c605dbfc24b8ccf

SHA512
189c0e9ca5975ceaf36806020622ae3a77875039cf68c0c3aa2aa2f6e3fd8da1be559bfa1c6fb30538809d6220a00ffa000f9d17aa5f9d5f79199c1f90998dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\e32Lke3.exe

Filesize
1.1MB

MD5
a76d136239408f63bf5b2af3d4dffc0e

SHA1
7434e0882f2825ba265f69db57e1117a4375636a

SHA256
c1d245ae8ca47c4e04608217d82fc94c1c77d10a81ab057f8c605dbfc24b8ccf

SHA512
189c0e9ca5975ceaf36806020622ae3a77875039cf68c0c3aa2aa2f6e3fd8da1be559bfa1c6fb30538809d6220a00ffa000f9d17aa5f9d5f79199c1f90998dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\o02kvf1u.exe

Filesize
3.6MB

MD5
9acf9c7921ee24285901751af52097b0

SHA1
0e6725a2fdc4e1f1bbf6a73f46393cbba4552e12

SHA256
98c1105d2e0d9467d2cb9cbd3747b79d7471ecbc22a290653fddc8db3f49b04c

SHA512
7f369214f16aca9dcd8c390ab729a1edaffe27f3fce6dc887df7bb39bc6f55ba938ea7c69f3f1dd739da00b899435a0e65750e5cd7cb0fb45272ad32d6e24792

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\o02kvf1u.exe

Filesize
3.6MB

MD5
9acf9c7921ee24285901751af52097b0

SHA1
0e6725a2fdc4e1f1bbf6a73f46393cbba4552e12

SHA256
98c1105d2e0d9467d2cb9cbd3747b79d7471ecbc22a290653fddc8db3f49b04c

SHA512
7f369214f16aca9dcd8c390ab729a1edaffe27f3fce6dc887df7bb39bc6f55ba938ea7c69f3f1dd739da00b899435a0e65750e5cd7cb0fb45272ad32d6e24792

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\o02kvf1u.exe

Filesize
3.6MB

MD5
9acf9c7921ee24285901751af52097b0

SHA1
0e6725a2fdc4e1f1bbf6a73f46393cbba4552e12

SHA256
98c1105d2e0d9467d2cb9cbd3747b79d7471ecbc22a290653fddc8db3f49b04c

SHA512
7f369214f16aca9dcd8c390ab729a1edaffe27f3fce6dc887df7bb39bc6f55ba938ea7c69f3f1dd739da00b899435a0e65750e5cd7cb0fb45272ad32d6e24792

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
210.7MB

MD5
64116c0a78286c9c21bb3e2099ce3fa3

SHA1
e9e75d5c538cacbe7d8de2ff332a05bb34fca571

SHA256
d08ac6703c7538396b0257aec09ed4500850053054a9b92422a774f12a597870

SHA512
da8314ff85f23af949638e2b828a18593f985c628b9c45eab8c0f4c7c54d5daf3990be1dc0b5294bc489a816a06b70d3bc968cb152ca1467e82a31996b6b7514

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
211.3MB

MD5
b747fc12254532766f7623222dc8b94a

SHA1
981901e7355e9d6d742e2a3397f1df5cd51b893f

SHA256
6d6a53c7b98497f26f084cd620922aa908d384f39700304c6d7c9045835233c8

SHA512
6f2776deee4637d61e4300cdddf44b120ab27ab88af3258d4cc98a7d3dc33b87051c9975d61a15c94c77c3de857e9ce2c72719685f327f2c7c902b4b44320f6e

Download Submit
memory/400-186-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/400-163-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/400-182-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/400-183-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/400-184-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4604-154-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

Filesize
240KB

Download
memory/4604-161-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4604-153-0x0000000004E20000-0x0000000004E32000-memory.dmp

Filesize
72KB

Download
memory/4604-152-0x0000000004F80000-0x000000000508A000-memory.dmp

Filesize
1.0MB

Download
memory/4604-350-0x00000000051A0000-0x0000000005216000-memory.dmp

Filesize
472KB

Download
memory/4604-353-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/4604-405-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4604-1657-0x0000000006650000-0x0000000006BF4000-memory.dmp

Filesize
5.6MB

Download
memory/4604-1663-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/4604-1713-0x0000000006C00000-0x0000000006DC2000-memory.dmp

Filesize
1.8MB

Download
memory/4604-1719-0x0000000008720000-0x0000000008C4C000-memory.dmp

Filesize
5.2MB

Download
memory/4604-1735-0x0000000006F30000-0x0000000006F80000-memory.dmp

Filesize
320KB

Download
memory/4604-151-0x0000000005490000-0x0000000005AA8000-memory.dmp

Filesize
6.1MB

Download
memory/4604-146-0x0000000000770000-0x000000000079E000-memory.dmp

Filesize
184KB

Download