laplas | bae427e9391d1bc744b12cb517ca67a2becd386d4b61dab7eff043b33960b8cc | Triage

Sharing

General

Target

.rar
Size

3.1MB
Sample

230706-vdd3vsec9t
MD5

353c10b3f0586b250b9b1e8fb150d1b9
SHA1

ce21a8679af6ff535ca77cf8bf3b8ba9adafad89
SHA256

bae427e9391d1bc744b12cb517ca67a2becd386d4b61dab7eff043b33960b8cc
SHA512

b6552d46a827c85c2318fdeedc35ded72c2f56db96b74ff2600faa69fea02c2fad895c24242b8a260eafd12e85e409eaf4b807161db4f05aa3a47c3bb7001739
SSDEEP

98304:hhAYiU8zd95AX3j+GqSrfzrKUMcZ1E42MRLG:hz8zD5sLprfz2UdZ1EhaG

Score

10^/10

laplas redline @kkkllsttnnn clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@kkkllsttnnn

C2

94.142.138.4:80

Attributes

auth_value
c82524415ee633c9f508c7d4bf1d0d29

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

- Target
  
  Setup.exe
- Size
  
  1.1MB
- MD5
  
  18e79403815bcb2831d9383c9135edbf
- SHA1
  
  cd49506de380658119a1fff1745a98316152f9e6
- SHA256
  
  15dc5f309732a5d78c6f0ad0bb77baea4f6dbab4ce7d7bcad655c2ceb6de06fa
- SHA512
  
  3a0f2fe4e5445ba0e633da5b3c7832e4af4e2de907a81b0d05cfbf348a41404a83682db86710825215bbfed96cb49ef2e594f973bf37a8abfc499039b1e8e7bb
- SSDEEP
  
  6144:9hvWGad/1VqBFJlXdvaIBNJtJSeAOagS5pUGtiHjzk1In/yP3:jG/1VqBfdSedSYGszI
Score

10^/10

laplas redline @kkkllsttnnn clipper infostealer persistence spyware stealer
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

laplasredline@kkkllsttnnnclipperinfostealerpersistencespywarestealer

behavioral2

laplasredline@kkkllsttnnnclipperinfostealerpersistencespywarestealer