laplas | 913451816ee934f6d27f4c6eea7cbe899fd95f2b8c85c5fabeca949dd21e8963 | Triage

Sharing

General

Target

R-Unlocker.exe
Size

275KB
Sample

230702-nsdbjsce3w
MD5

410ed841062196658dd64c3f86b30e23
SHA1

347d3c905b966350034982c3867d9916d4b6ce1a
SHA256

913451816ee934f6d27f4c6eea7cbe899fd95f2b8c85c5fabeca949dd21e8963
SHA512

1d1cefec4ad2d68d534efc7c4e56ed969ea4a57c7c5d02aa73af91e1097ba70463f6c357d76688b47524763501fe9b447772ca95343278f5a6fcc2a304421384
SSDEEP

3072:s3YUAcjp1MkkN0kDyNIvapYENPNQ1L4yXyiPh2ypr5y336YnDzHeWRQx2WR3xr:SXMkkN0DbYgNQSyXDc20Hh+QdQZ

Score

10^/10

laplas redline @basketball_nogoi_na_nahui clipper discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@basketball_nogoi_na_nahui

C2

94.142.138.4:80

Attributes

auth_value
29d6a68320aef07ed71416abb3302143

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

- Target
  
  R-Unlocker.exe
- Size
  
  275KB
- MD5
  
  410ed841062196658dd64c3f86b30e23
- SHA1
  
  347d3c905b966350034982c3867d9916d4b6ce1a
- SHA256
  
  913451816ee934f6d27f4c6eea7cbe899fd95f2b8c85c5fabeca949dd21e8963
- SHA512
  
  1d1cefec4ad2d68d534efc7c4e56ed969ea4a57c7c5d02aa73af91e1097ba70463f6c357d76688b47524763501fe9b447772ca95343278f5a6fcc2a304421384
- SSDEEP
  
  3072:s3YUAcjp1MkkN0kDyNIvapYENPNQ1L4yXyiPh2ypr5y336YnDzHeWRQx2WR3xr:SXMkkN0DbYgNQSyXDc20Hh+QdQZ
Score

10^/10

laplas redline @basketball_nogoi_na_nahui clipper discovery infostealer persistence spyware stealer
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

laplasredline@basketball_nogoi_na_nahuiclipperdiscoveryinfostealerpersistencespywarestealer

behavioral2

redline@basketball_nogoi_na_nahuidiscoveryinfostealerspywarestealer