General

  • Target

    Setup.bin.zip

  • Size

    238KB

  • Sample

    230717-g18zvsae67

  • MD5

    46ab886a7756ef611d0798256d46425b

  • SHA1

    1f60a35b0ded2ca01e9578a8f59dc69e6d13c826

  • SHA256

    fa186ec42d8bd6705022f87ad0e474b89aa78c887da4d86603079c2ce2b28810

  • SHA512

    e8be54e21cb1e174bf169e1929092be009845946bd52e0b1db5024353ddd337b4bc2223eb8c604388b8e141021ed25417c29ef1dead4b7202f082d06b812030f

  • SSDEEP

    6144:yrm7tO+NdvAEu5TBtRdIS8VJpxupKzb2V1qKW2yY4rWx8ut/3Q:yrmBOqdvAEu5TBSS8VJTupKgWi4raPo

Malware Config

Extracted

Family

redline

Botnet

@EclipsoNN

C2

94.142.138.4:80

Attributes
  • auth_value

    a7c64217d1354dc4fff2d3e224a31954

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

    • Target

      Setup.bin

    • Size

      685KB

    • MD5

      65df8723cddac2f68077a1e4ba85d517

    • SHA1

      939ae5f1fd476617933cb59dce91cc8032d1ffc4

    • SHA256

      e5ae0ceb6284e429c939dd9f38176b705f4047432d36d21c8120f7e1ea01f32b

    • SHA512

      7f917b2cd70aff161876fab16eca979d8ce27ac33501c11e2ad872e04f1507bad13e3a27a676cac09bc1c73613a44bf9b1a6f7462a60256764d1179b4b35933c

    • SSDEEP

      12288:D/1st25/ZyKB9UyTLrY1XbYcF9u2qgOlEYH+FYCiERKZ72uaAdi7++TQDZ:7O25/7rYbFZOlEYeFYCiERKZ72uaAdiy

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks