General

  • Target

    9b06361b484531e8d71b64fbb32534d9.exe

  • Size

    2.3MB

  • Sample

    230717-lpw85sbh2y

  • MD5

    9b06361b484531e8d71b64fbb32534d9

  • SHA1

    6c47e8bfaf1b82c57c861312f1fe130cc5e21c96

  • SHA256

    753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd

  • SHA512

    dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb

  • SSDEEP

    49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6

Malware Config

Extracted

Family

redline

Botnet

150723_rc_11

C2

rcam15.tuktuk.ug:11290

Attributes
  • auth_value

    0b3645317afbcac212f68853bb45b46d

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Targets

    • Target

      9b06361b484531e8d71b64fbb32534d9.exe

    • Size

      2.3MB

    • MD5

      9b06361b484531e8d71b64fbb32534d9

    • SHA1

      6c47e8bfaf1b82c57c861312f1fe130cc5e21c96

    • SHA256

      753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd

    • SHA512

      dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb

    • SSDEEP

      49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks