Resubmissions
08-06-2023 11:45
230608-nw8lvsff6w 1008-06-2023 10:16
230608-maxrssea93 608-06-2023 09:50
230608-lt1r5adg93 1008-06-2023 09:35
230608-lka54sec6w 1008-06-2023 09:31
230608-lg6slsec3y 1008-06-2023 09:27
230608-lexf6adf56 1008-06-2023 09:22
230608-lb4faseb5x 608-06-2023 09:14
230608-k7ldxsde62 1008-06-2023 09:00
230608-kyngxsdh81 1008-06-2023 08:48
230608-kqfgcadh31 10General
-
Target
https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
-
Sample
230608-lka54sec6w
Malware Config
Extracted
vidar
4.2
2ca19830ec2c67b5159166c89d3ebb74
https://steamcommunity.com/profiles/76561199511129510
https://t.me/rechnungsbetrag
-
profile_id_v2
2ca19830ec2c67b5159166c89d3ebb74
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75
Extracted
laplas
http://45.159.189.105
-
api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e
Targets
-
-
Target
https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
Score10/10-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-