General

  • Target

    623bca798c05a1e5dc5a26ff57329459.bin

  • Size

    2.3MB

  • Sample

    230719-bvhb3aff91

  • MD5

    6f45c2f05be83fc45abe1a6217aaef22

  • SHA1

    75ea8cb74e30b44086b7f81ca4d606d629b8974c

  • SHA256

    43ca13b1d4234eea47695bce03ff36180038896a84d6bd3004a2a17730c710fc

  • SHA512

    bdfb6553957e3b6ff024b9194e6b20945194cfe6c32174e9931bec2fc766de21a2562c76f1e2e516f2016d9ed27edec9eb9d0c6aa6a0ce99d1b5168fb3a27082

  • SSDEEP

    49152:Kt6nplMbi+lY6yVSD2GxfnR/FDG2e5Ej1ACRnSD+DvS9ZLz7XzRr1VpT3:g6nHMbXY6MU2Gxfn7G2e5EjpS629ZLf7

Malware Config

Extracted

Family

redline

Botnet

170723_rc_11

C2

rcam17.tuktuk.ug:11290

Attributes
  • auth_value

    ddbd29a91f6321652fef2b14e5ac70d5

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Targets

    • Target

      8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe

    • Size

      2.3MB

    • MD5

      623bca798c05a1e5dc5a26ff57329459

    • SHA1

      5d3db9376a7581fad4db73b87bcf6ce555e6138b

    • SHA256

      8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c

    • SHA512

      1923e4bf43651cd2423275d4383b013dbbe0f05870245229d6bd6ca650c536368f44d4b72cd9ca393b4269c88f5d4954826a4d1042144c5053140f463f54032d

    • SSDEEP

      49152:magq7j1kTKNpT+1OzKamfw3Fryxqu4m/YjsqV51RoipOm5FGWCmP9:Zgq7STKNUA7mfEO4cYjsq1RoinZCml

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks