General

  • Target

    05616799.exe

  • Size

    273KB

  • Sample

    230620-qr83yacc59

  • MD5

    390fc797574a89ae91508f774896ef68

  • SHA1

    07b43779b0b3e9503f8bb54d2a3877edc05a80d6

  • SHA256

    060dcbf520bb4a9581523bee99b52335fda2b9dfbada42f5635be3c437fba325

  • SHA512

    0a83f853d7547b6b295102c0323b72c7420b72b0f9a4f6775b186d39dc8a3dd0069abe2d22b98db84eb091a7ab9d4888d9ce7c03cbacbe8c2ddde31e7c2908ea

  • SSDEEP

    6144:HE55Zk/2d9dzyCQ5MHVf73hLxGJWTt+AoM2:HE5ZkqdzyUHLLxKWr

Malware Config

Extracted

Family

redline

Botnet

@Durak9876

C2

94.142.138.4:80

Attributes
  • auth_value

    7349e2db57cd9fb7fbca9d54c1dfaaf9

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

    • Target

      05616799.exe

    • Size

      273KB

    • MD5

      390fc797574a89ae91508f774896ef68

    • SHA1

      07b43779b0b3e9503f8bb54d2a3877edc05a80d6

    • SHA256

      060dcbf520bb4a9581523bee99b52335fda2b9dfbada42f5635be3c437fba325

    • SHA512

      0a83f853d7547b6b295102c0323b72c7420b72b0f9a4f6775b186d39dc8a3dd0069abe2d22b98db84eb091a7ab9d4888d9ce7c03cbacbe8c2ddde31e7c2908ea

    • SSDEEP

      6144:HE55Zk/2d9dzyCQ5MHVf73hLxGJWTt+AoM2:HE5ZkqdzyUHLLxKWr

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks