General

  • Target

    1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

  • Size

    2.3MB

  • Sample

    230713-ajh9jsfh7x

  • MD5

    3c55617e6b69330386a0350e9f6aa0b4

  • SHA1

    99bff391433cfc610b27f3b2b7ebc3239314f831

  • SHA256

    1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

  • SHA512

    46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28

  • SSDEEP

    49152:X4MR20Q9Xz2p2pizrXPHaBXtHqNQ6cBUX0biao10PzFyPawde5Gir:X41MEpyHaZUNFcBUEfoIgPFTir

Malware Config

Extracted

Family

redline

Botnet

120723_rc_11

C2

rcam.tuktuk.ug:11290

Attributes
  • auth_value

    3a7b4b38a7116be1f337083fb37de790

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Targets

    • Target

      1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

    • Size

      2.3MB

    • MD5

      3c55617e6b69330386a0350e9f6aa0b4

    • SHA1

      99bff391433cfc610b27f3b2b7ebc3239314f831

    • SHA256

      1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

    • SHA512

      46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28

    • SSDEEP

      49152:X4MR20Q9Xz2p2pizrXPHaBXtHqNQ6cBUX0biao10PzFyPawde5Gir:X41MEpyHaZUNFcBUEfoIgPFTir

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner payload

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks