Overview

overview

10

Static

static

3

Installer.exe

windows10-1703-x64

10

Installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    302s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2023 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer.exe

  • Size

    1.2MB

  • MD5

    d017c52a55cb3741adfb83eed1d6f052

  • SHA1

    fe3e79ad0cb2b2e5374dca688c83de93ebba9bb3

  • SHA256

    aa8a2e7e1556276dad50729a039ac5cc81cd16494ecb4431f8d6ad59fa8eb9ec

  • SHA512

    d207b117dc24f856d7ba385d4764f724940a59d1f56a3fd2abaf267e1dbc47234bc5cfce2765ac91b501fcd0925048bb22acc1f050e2c9c36c483581c2e1598d

  • SSDEEP

    12288:dGKA3PekjU4fQHp4v8Q9SWVPs+ihQq/3C:dI3gNGUQcWVPBi6q/

Score
10/10
laplaslobshotredline@merchdbackdoorclipperinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

@MerchD

C2

94.142.138.4:80

Attributes
  • auth_value

    9f84b46959366b2efa0773e0556f6e11

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Detects Lobshot family 5 IoCs
  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Lobshot

    Lobshot is a backdoor module written in c++.

    backdoorlobshot
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3996
      • C:\Users\Admin\AppData\Local\Temp\conhost.exe
        "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Executes dropped EXE
          PID:3328
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\svchost.exe") & (start "" "C:\ProgramData\service.exe")
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2204
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            5⤵
            • Runs ping.exe
            PID:4512
          • C:\ProgramData\service.exe
            "C:\ProgramData\service.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:432

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\service.exe
    Filesize

    80KB

    MD5

    b8d23f55d8924b617a57035db1cd3eb0

    SHA1

    94f84b29f47762afa6f44b39dea910286381f296

    SHA256

    921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

    SHA512

    656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

    Download Submit

  • C:\ProgramData\service.exe
    Filesize

    80KB

    MD5

    b8d23f55d8924b617a57035db1cd3eb0

    SHA1

    94f84b29f47762afa6f44b39dea910286381f296

    SHA256

    921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

    SHA512

    656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    Filesize

    4.0MB

    MD5

    feccda803ece2e7a3b7e9798714ad47e

    SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

    SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

    SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    Filesize

    4.0MB

    MD5

    feccda803ece2e7a3b7e9798714ad47e

    SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

    SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

    SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    Filesize

    4.0MB

    MD5

    feccda803ece2e7a3b7e9798714ad47e

    SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

    SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

    SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    80KB

    MD5

    b8d23f55d8924b617a57035db1cd3eb0

    SHA1

    94f84b29f47762afa6f44b39dea910286381f296

    SHA256

    921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

    SHA512

    656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    80KB

    MD5

    b8d23f55d8924b617a57035db1cd3eb0

    SHA1

    94f84b29f47762afa6f44b39dea910286381f296

    SHA256

    921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

    SHA512

    656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    80KB

    MD5

    b8d23f55d8924b617a57035db1cd3eb0

    SHA1

    94f84b29f47762afa6f44b39dea910286381f296

    SHA256

    921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

    SHA512

    656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    817.0MB

    MD5

    93abed944a4462b69af992652284ddf7

    SHA1

    c891ae060df7f8e761bec9305f5e8d8873432b70

    SHA256

    aa44de201f339c430247feaa55635f5747827ee55983f7c7daa22d10fc87918b

    SHA512

    b023fd69489970c37da84b738d2b7b1187690d6ebc762475eab9c80afbf376f236870292eb01e386029b4f23f00d8b6f3fc4491b41eac62843b5834b49df529a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    817.0MB

    MD5

    93abed944a4462b69af992652284ddf7

    SHA1

    c891ae060df7f8e761bec9305f5e8d8873432b70

    SHA256

    aa44de201f339c430247feaa55635f5747827ee55983f7c7daa22d10fc87918b

    SHA512

    b023fd69489970c37da84b738d2b7b1187690d6ebc762475eab9c80afbf376f236870292eb01e386029b4f23f00d8b6f3fc4491b41eac62843b5834b49df529a

    Download Submit

  • memory/3996-139-0x000000000D5E0000-0x000000000D656000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3996-140-0x000000000D700000-0x000000000D792000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3996-145-0x000000000F2E0000-0x000000000F80C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3996-146-0x0000000005010000-0x0000000005020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3996-143-0x000000000DE10000-0x000000000DE60000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3996-142-0x000000000E370000-0x000000000E914000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3996-141-0x000000000DD50000-0x000000000DDB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3996-144-0x000000000E920000-0x000000000EAE2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3996-133-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3996-138-0x0000000005010000-0x0000000005020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3996-137-0x000000000CA60000-0x000000000CA9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3996-136-0x000000000CA00000-0x000000000CA12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3996-135-0x000000000CAC0000-0x000000000CBCA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3996-134-0x000000000B120000-0x000000000B738000-memory.dmp

    Filesize

    6.1MB

    Download