laplas | dd528eb464db46cd69a3a373f5cde4c4e48afb7116fb8e91eea3a1caacc800f5 | Triage

Sharing

General

Target

cf7587a6e0bf853250e291305dcd895e.bin.exe
Size

900KB
Sample

230620-l17t1scd91
MD5

cf7587a6e0bf853250e291305dcd895e
SHA1

b98f3c9b8edf17a9b696efd8c54508ab45f3537e
SHA256

dd528eb464db46cd69a3a373f5cde4c4e48afb7116fb8e91eea3a1caacc800f5
SHA512

beeed750e2f031ea44ef18452bdd950fd333c2613eae4a8240451d0dcc16ceaacc9342bdf4e13fb5a95a6b4627686e22a9e5aed222bc1d643eda36bd77d6f56b
SSDEEP

24576:RIJo17WrRfZZEKC/VFBC2NF6zpYw7XfDHx:RIHrRfZZEKC/VFMuF6ffHx

Score

10^/10

laplas redline @sogood1337 clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@sogood1337

C2

94.142.138.4:80

Attributes

auth_value
55bcb57dbab66d380a24118a44c40da2

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

- Target
  
  cf7587a6e0bf853250e291305dcd895e.bin.exe
- Size
  
  900KB
- MD5
  
  cf7587a6e0bf853250e291305dcd895e
- SHA1
  
  b98f3c9b8edf17a9b696efd8c54508ab45f3537e
- SHA256
  
  dd528eb464db46cd69a3a373f5cde4c4e48afb7116fb8e91eea3a1caacc800f5
- SHA512
  
  beeed750e2f031ea44ef18452bdd950fd333c2613eae4a8240451d0dcc16ceaacc9342bdf4e13fb5a95a6b4627686e22a9e5aed222bc1d643eda36bd77d6f56b
- SSDEEP
  
  24576:RIJo17WrRfZZEKC/VFBC2NF6zpYw7XfDHx:RIHrRfZZEKC/VFMuF6ffHx
Score

10^/10

laplas redline @sogood1337 clipper infostealer persistence spyware stealer
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

laplasredline@sogood1337clipperinfostealerpersistencespywarestealer

behavioral2

laplasredline@sogood1337clipperinfostealerpersistencespywarestealer