Overview

overview

10

Static

static

3

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Valorant_Hack.rar

  • Size

    11.4MB

  • Sample

    230502-qlqpeabb78

  • MD5

    267edf97c0773766a0e47322c5a09e0f

  • SHA1

    1da9b9f7b9191458060bcbee0b294e9415901321

  • SHA256

    2edc1e4c2f16055a14d96f056e976c3bd06230272138259c7cdf50cf6dba07b0

  • SHA512

    8e24bb40b058fc9e2c973acf938f0adb0084df9a3716ae9cee707c07ff8732b60906edcb5ad8b17c679b8df4ad0db7ae72ce464467ce86688c1ba8c1166d34a5

  • SSDEEP

    196608:IpiDgxaJzjt7B53dmvyf0pS9AaCWDnS/hdAhr7oVr1Gnt2um01Ai:IGgxwzjdb3ovhpLuDr7oQtRr

Score
10/10
laplasvidarxmrig940745c5e5d7ca4cbbc384bc174775e2clipperevasionminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

3.7

Botnet

940745c5e5d7ca4cbbc384bc174775e2

C2

https://steamcommunity.com/profiles/76561199501059503

https://t.me/mastersbots
Attributes
  • profile_id_v2

    940745c5e5d7ca4cbbc384bc174775e2

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0

Extracted

Family

laplas

C2

http://185.209.161.89

Attributes
  • api_key

    6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Targets

    • Target

      Setup.exe

    • Size

      999.0MB

    • MD5

      f5888302a0b612329e34cdc1e9eaf5f3

    • SHA1

      8bab0b31a6458b38b59550000f100a206606a8e8

    • SHA256

      8092ed5ee401cbaad77a932e0bbb8bcbb430576140ca4a8c4ed06de4d58b8cbb

    • SHA512

      6a218be3991ff43142a154d9958b5c6c5a3451e536545f674fc412fec82fa82d3f3f71626cb0cb1d402c0e724567365843954ecc76b6485cd78bf4452ad21311

    • SSDEEP

      49152:FBDq8sOA33dz7DqhCKWqo/+kZjukM32wFH1gENeAsm81ZJ13BWIhIzwFiheeX5NT:4Ux

    Score
    10/10
    laplasvidarxmrig940745c5e5d7ca4cbbc384bc174775e2clipperevasionminerpersistencespywarestealertrojan

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks