laplas | 054516ec9653a0216348890d953c7367e441ec56311163ffac63b5c849237afd

General

Target

InternalInject0r_.zip
Size

2.8MB
Sample

230622-p5wjbsee22
MD5

0b6138ea614ff3c8f9672fdb471c9d21
SHA1

6fbc2da4cb5a09c5ff654612aa26728dc7676d10
SHA256

054516ec9653a0216348890d953c7367e441ec56311163ffac63b5c849237afd
SHA512

8e6f928930b51896337b3e9def7790511b1b399a741377ea69db7506eea3e96b068681ab5447e27f4021d63028aad312b73b08765d723940ddd37df4c1ed1e35
SSDEEP

49152:XeNRS4CC1UKK+Kcl1ZNPT6tN1HuMLVCqoIxHzdBR+bMs4s600mJare4G55:XqPX15GStMrLVCJIxHzw400w6S55

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@nmrzv88

C2

94.142.138.4:80

Attributes

auth_value
ff2294eb8c32446e92144d9b8a702d93

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

- Target
  
  Game.dll
- Size
  
  654KB
- MD5
  
  a9a673f3a28d48a55a0110af24f8e992
- SHA1
  
  acb7276e6fdd045e24782c4e64fc7c33eff08e31
- SHA256
  
  c166e43823c95bb2b9d86ef727960d088e084c4cc67f1b21e1c23f47db129b71
- SHA512
  
  19ce6e8500388a92924a4f33018f16cbaa9c13c627399e2ae312149128e0c00d4619075002568b80af556375397c3bd2e808277ffdc7eb8d30c7d3c80bbf1bf6
- SSDEEP
  
  12288:FoQEv3hQfcDIwXIIpxrQqR+2PwETiTyGftIjFSuuWEjSfKj+2VaHjdjHp88WbdOT:Fuv3hQfcDIwXIMxr3R+2IETiTyGFI1xe
Score

3^/10
behavioral1
- Target
  
  libGLESv2.dll
- Size
  
  5.3MB
- MD5
  
  cc19a92c9fdcf1158e228748a36135ad
- SHA1
  
  8c222e460af14a7763a97b2138d7520006af7aa6
- SHA256
  
  3a812953dffd7e10605ec021138b947c214bb2c5b82f095318cc8160ed9f575c
- SHA512
  
  b4d358f1c0e593743dabc0ace710f6f965086ce09098cb41d88e403ffbb7a15f254fbecd42edbe6d163b73c7147aad058586911b6da64bee8a707694bb4d17c4
- SSDEEP
  
  98304:nzcp8YzTvlb06LHjhkbOQRgJ6ysDnkMjbnOWbSKw:nzcp8Y1bPLHjiRXDnPa
Score

3^/10
behavioral2
- Target
  
  libavdecoder.dll
- Size
  
  53KB
- MD5
  
  17b71bbb807e67a05b61a52ae5aff2b3
- SHA1
  
  9a19910ba6617d495fd333622829c4579881ed01
- SHA256
  
  f47c6f9fcd7eabffee074656a3dfea37f98f585aaf03f83a50922fc15258f1ef
- SHA512
  
  fe77fb06c22fb8320d79a2e36fde6dd0e93be5b98f8f6057eadbc9d6c5cee1762a2ce697be212100d17c4cea35072762b14fa32ca0a2b5da4189fc4e5d1ebed8
- SSDEEP
  
  768:AU/5uidbZtCRsk+CyciOS+KI0OmgUwwNcP3NLB3B9YvDPL/Y/Ty/EiU3qlm6W6ex:fIid3CRKX2wXMEhxOfwo
Score

1^/10
behavioral3
- Target
  
  loader.exe
- Size
  
  402KB
- MD5
  
  faca79da7c35f11a0ca63546647fd628
- SHA1
  
  056095219515efb855df3a0ebd9f64aa519b9072
- SHA256
  
  035cb4663c905882100cdc5d88c0d1cf91ec43607e7599c6cc9fd2a790a10903
- SHA512
  
  9943208b3ab8da145413a8f38a905332d992cf525784203a69be18cd4fb54174e636d57e11976a57d1e3d6715e678687e40701dad4f615f3b35d139bb3dd1bc3
- SSDEEP
  
  6144:raEiMK5t9RA/9oJPthur0VlS2AOAXGdfmYF5p2t/TwRbQI:rNiX5/RA/9oVzdfmYF/2t/T3
Score

10^/10

laplas redline @nmrzv88 clipper discovery infostealer persistence spyware stealer
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral4