General

  • Target

    Wallet pass.exe

  • Size

    1.3MB

  • Sample

    230628-ced55sha6w

  • MD5

    21cbc38776a465e3bee495836a934a02

  • SHA1

    b2f6acdae49a84632ef913aea33ccf9949de2338

  • SHA256

    86f5b4f32c68f9337a19363da77d77b6275923da37d2e4144b8f0740620fd3ac

  • SHA512

    8c725fb36de9400d24a8bac0fb5c96370faadce81e0d0c2173f594a5b0288712b1b63c3691566707be67f368cec6a0649bbdbbaa51dcebd3703e8aa9bc7022f2

  • SSDEEP

    24576:nrB7SdV5WjDB/ncHlUP0jW62JC1HTK75FmfVcseNPwMv4:nqlnjW5QmPJv4

Malware Config

Extracted

Family

redline

Botnet

@cryptocodi

C2

94.142.138.4:80

Attributes
  • auth_value

    198c6645d590bf9278910b885d83b15e

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

    • Target

      Wallet pass.exe

    • Size

      1.3MB

    • MD5

      21cbc38776a465e3bee495836a934a02

    • SHA1

      b2f6acdae49a84632ef913aea33ccf9949de2338

    • SHA256

      86f5b4f32c68f9337a19363da77d77b6275923da37d2e4144b8f0740620fd3ac

    • SHA512

      8c725fb36de9400d24a8bac0fb5c96370faadce81e0d0c2173f594a5b0288712b1b63c3691566707be67f368cec6a0649bbdbbaa51dcebd3703e8aa9bc7022f2

    • SSDEEP

      24576:nrB7SdV5WjDB/ncHlUP0jW62JC1HTK75FmfVcseNPwMv4:nqlnjW5QmPJv4

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks