General

  • Target

    b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e

  • Size

    3.0MB

  • Sample

    230720-d7mhnadb2w

  • MD5

    f0c28a4e827bbc75a2d28f6abdce56b2

  • SHA1

    8991e8b3f6a3def5c56b972c80df713def04fdbd

  • SHA256

    b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e

  • SHA512

    995b412aed0eabe6ed8834f7dd57ed99de797da6c7f06f601f573e9b13fa27101c894f2c8f8c7574cf73d3ce413af31598c31174aa235f9ff39ed887292c5256

  • SSDEEP

    49152:SSGHmYONvphn06NUNKvkJKfyeVe0L/Afybp23OLop2NDmGX2YE/0B76RbWG4AGDp:BILONvphn06yNKAKa2YybpqO3DjNNBq2

Malware Config

Extracted

Family

redline

Botnet

190723_rc_11

C2

rcam19.tuktuk.ug:11290

Attributes
  • auth_value

    bdb30d37675736a264bc8bbc3996bfe7

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Targets

    • Target

      b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e

    • Size

      3.0MB

    • MD5

      f0c28a4e827bbc75a2d28f6abdce56b2

    • SHA1

      8991e8b3f6a3def5c56b972c80df713def04fdbd

    • SHA256

      b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e

    • SHA512

      995b412aed0eabe6ed8834f7dd57ed99de797da6c7f06f601f573e9b13fa27101c894f2c8f8c7574cf73d3ce413af31598c31174aa235f9ff39ed887292c5256

    • SSDEEP

      49152:SSGHmYONvphn06NUNKvkJKfyeVe0L/Afybp23OLop2NDmGX2YE/0B76RbWG4AGDp:BILONvphn06yNKAKa2YybpqO3DjNNBq2

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks