Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    1.1MB

  • Sample

    230613-l57ptagb9x

  • MD5

    05d2607674b12556392ad7d31c498bb2

  • SHA1

    6a30c01505a666f109502e563df48287fc68af7b

  • SHA256

    dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049

  • SHA512

    4f9019a34c89cc49b29ae808e272a5acb5e6bb18b4369cf826cc2ce46b41586418494ad535ef7d95408c86ff468457bb5227db619b0c64381172b3eecb77f549

  • SSDEEP

    6144:vhMIAaYKyQdiU+oboLaSORJ3k5QH2rCfdOrAOGLNf9C42PVWI/L6VGuXZ:vhMvaYTQdiU+oboLLuiELNOPVWIzmfZ

Score
10/10
laplasredline2clipperinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

2

C2

95.216.249.153:81

Attributes
  • auth_value

    101013a5e99e0857595aae297a11351d

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Targets

    • Target

      file.exe

    • Size

      1.1MB

    • MD5

      05d2607674b12556392ad7d31c498bb2

    • SHA1

      6a30c01505a666f109502e563df48287fc68af7b

    • SHA256

      dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049

    • SHA512

      4f9019a34c89cc49b29ae808e272a5acb5e6bb18b4369cf826cc2ce46b41586418494ad535ef7d95408c86ff468457bb5227db619b0c64381172b3eecb77f549

    • SSDEEP

      6144:vhMIAaYKyQdiU+oboLaSORJ3k5QH2rCfdOrAOGLNf9C42PVWI/L6VGuXZ:vhMvaYTQdiU+oboLLuiELNOPVWIzmfZ

    Score
    10/10
    laplasredline2clipperinfostealerpersistencespywarestealer

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks