Analysis

  • max time kernel
    131s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2023 10:32

General

  • Target

    a9f7d6b41ef9398f5b8fa1ca03d02b04.exe

  • Size

    255KB

  • MD5

    a9f7d6b41ef9398f5b8fa1ca03d02b04

  • SHA1

    c6381d564909b24e6d44906c87542476c89cbb91

  • SHA256

    2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418

  • SHA512

    cd28165d0a388af334559e3828c8dbbd24ba63eea8017aae88f355113863202ca13377db2a93fee97f1af5c224d9a763ada72d16c3c790691a8f1fba53039595

  • SSDEEP

    6144:WfIZHZETEmZuxEuE6ClwwSxZ7p4RhRyTUVeRl:VYTEmZulEgY2

Malware Config

Extracted

Family

redline

Botnet

@bloodyrain12

C2

94.142.138.4:80

Attributes
  • auth_value

    deb2361761232960fecc0abd77d9ebf3

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9f7d6b41ef9398f5b8fa1ca03d02b04.exe
    "C:\Users\Admin\AppData\Local\Temp\a9f7d6b41ef9398f5b8fa1ca03d02b04.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        3⤵
        • Executes dropped EXE
        PID:5080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    4.0MB

    MD5

    d076c4b5f5c42b44d583c534f78adbe7

    SHA1

    c35478e67d490145520be73277cd72cd4e837090

    SHA256

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

    SHA512

    b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    4.0MB

    MD5

    d076c4b5f5c42b44d583c534f78adbe7

    SHA1

    c35478e67d490145520be73277cd72cd4e837090

    SHA256

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

    SHA512

    b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    4.0MB

    MD5

    d076c4b5f5c42b44d583c534f78adbe7

    SHA1

    c35478e67d490145520be73277cd72cd4e837090

    SHA256

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

    SHA512

    b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    776.0MB

    MD5

    143d7546213e9c16cd8b7db736a436ae

    SHA1

    626544445f8254e3b7c1f1de82616f1360309e64

    SHA256

    c14ca667ff9243ea3e1891e87fc4a5a7962c04e70d47e40bdce7f66e6d3c4153

    SHA512

    393036d1b53eaba808768e9dfc6c36e2fd3164ad211e8d8ee6a3a8ccf147ff85bf92311b80cac1d95f97ea6d575559f77af45172cc24dfd0b99e8761b67921ea

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    776.0MB

    MD5

    143d7546213e9c16cd8b7db736a436ae

    SHA1

    626544445f8254e3b7c1f1de82616f1360309e64

    SHA256

    c14ca667ff9243ea3e1891e87fc4a5a7962c04e70d47e40bdce7f66e6d3c4153

    SHA512

    393036d1b53eaba808768e9dfc6c36e2fd3164ad211e8d8ee6a3a8ccf147ff85bf92311b80cac1d95f97ea6d575559f77af45172cc24dfd0b99e8761b67921ea

  • memory/1880-144-0x000000000D3E0000-0x000000000D472000-memory.dmp

    Filesize

    584KB

  • memory/1880-148-0x000000000E310000-0x000000000E4D2000-memory.dmp

    Filesize

    1.8MB

  • memory/1880-143-0x000000000D360000-0x000000000D3D6000-memory.dmp

    Filesize

    472KB

  • memory/1880-133-0x00000000005B0000-0x00000000005E0000-memory.dmp

    Filesize

    192KB

  • memory/1880-145-0x000000000DAC0000-0x000000000E064000-memory.dmp

    Filesize

    5.6MB

  • memory/1880-146-0x000000000E0D0000-0x000000000E136000-memory.dmp

    Filesize

    408KB

  • memory/1880-147-0x000000000E190000-0x000000000E1E0000-memory.dmp

    Filesize

    320KB

  • memory/1880-142-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

    Filesize

    64KB

  • memory/1880-149-0x000000000E4E0000-0x000000000EA0C000-memory.dmp

    Filesize

    5.2MB

  • memory/1880-141-0x000000000A3C0000-0x000000000A3FC000-memory.dmp

    Filesize

    240KB

  • memory/1880-140-0x000000000C6A0000-0x000000000C6B2000-memory.dmp

    Filesize

    72KB

  • memory/1880-139-0x000000000C570000-0x000000000C67A000-memory.dmp

    Filesize

    1.0MB

  • memory/1880-138-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

    Filesize

    64KB

  • memory/1880-137-0x000000000ABA0000-0x000000000B1B8000-memory.dmp

    Filesize

    6.1MB