Overview

overview

10

Static

static

1

InstallerE...6s.exe

windows7-x64

3

InstallerE...6s.exe

windows10-2004-x64

10

Resubmissions

13-06-2023 07:00

230613-hs3zbafg3w 10

13-06-2023 06:39

230613-heq3lafg2t 10

13-06-2023 03:28

230613-d1sq4aee98 10

13-06-2023 03:07

230613-dmpghsfb3z 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    InstallerExpress_v3v.0u.6s.zip

  • Size

    86.4MB

  • Sample

    230613-dmpghsfb3z

  • MD5

    9c1ef0659dd062ae96c2f65098c0b0c7

  • SHA1

    a7505ae8dafeec539386f78745d98d968d989253

  • SHA256

    6cb44f3aba5fc33eb96a2aad499902e68f28835ec049786ee5d666ee404efda8

  • SHA512

    aee83d99b24b4a2f76f85ccfc10ccc6a6fffaa69c6707902179b8d00aabbc9e7512d847d6c48036630f9fccb9c3fc7d784e6b5abf8667f2377aed0bf2a6f1c10

  • SSDEEP

    1572864:3d+H73uMtEscKzHtHyjhFD5swg8YS098Qmgp5Ymz/jMCLNW7nCvmcq/thrW:3cb+qEsjRyt9uPXS3QFpx7PLNW7FZTW

Score
10/10
laplaslobshotredline@hendrolasbackdoorclipperinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

@hendrolas

C2

94.142.138.4:80

Attributes
  • auth_value

    71d16d25eddbb4fd3b98070432f1a757

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

    • Target

      InstallerExpress_v3v.0u.6s/InstallerExpress_v3v.0u.6s.exe

    • Size

      693.0MB

    • MD5

      fb757b3c077ec1976a8079ca0925e330

    • SHA1

      a8a3c03094572e007b867b5bb9c26acfb182c509

    • SHA256

      f2c3ec6f9869bb611d264d0a4a0dd0ba68b84d17672f07db44e90254b429a667

    • SHA512

      6fe3c5aebf1e576215ebd283f967aa35d73339df82c8d06e54fcee6fd33dc4d98408d3916c1a683a71b41a4d2dfe54d18883538bd3f7933d857b72e7dd911502

    • SSDEEP

      1572864:NphKtrquc1CVrmamaH0Zxz6RILY6/noAuKFiAC2J2:Npg+Z0VTmVxz1d/noAB72

    Score
    10/10
    laplaslobshotredline@hendrolasbackdoorclipperinfostealerpersistencespywarestealer

    • Detects Lobshot family

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • Lobshot

      Lobshot is a backdoor module written in c++.

      backdoorlobshot

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks