Malware Analysis Report

2024-10-23 15:43

Sample ID 230725-ps6tjace23
Target 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
SHA256 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
Tags
themida laplas redline 250723_rc_11 clipper evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05

Threat Level: Known bad

The file 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05 was found to be: Known bad.

Malicious Activity Summary

themida laplas redline 250723_rc_11 clipper evasion infostealer persistence spyware stealer trojan

RedLine

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Themida packer

Executes dropped EXE

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-25 12:36

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-25 12:36

Reported

2023-07-25 12:39

Platform

win10-20230703-en

Max time kernel

141s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

Signatures

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2672 set thread context of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4864 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 4864 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 4964 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 4964 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rcam25.tuktuk.ug udp
NL 85.209.3.9:11290 rcam25.tuktuk.ug tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.0.0.0.0.f.6.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 9.3.209.85.in-addr.arpa udp
NL 45.66.230.149:80 45.66.230.149 tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp

Files

memory/2672-117-0x0000000000990000-0x0000000001042000-memory.dmp

memory/2672-118-0x0000000075B60000-0x0000000075D22000-memory.dmp

memory/2672-119-0x0000000073A70000-0x0000000073B40000-memory.dmp

memory/2672-120-0x0000000075B60000-0x0000000075D22000-memory.dmp

memory/2672-121-0x0000000075B60000-0x0000000075D22000-memory.dmp

memory/2672-125-0x0000000000990000-0x0000000001042000-memory.dmp

memory/2672-126-0x00000000051B0000-0x000000000524C000-memory.dmp

memory/2672-127-0x0000000000990000-0x0000000001042000-memory.dmp

memory/2672-128-0x0000000075B60000-0x0000000075D22000-memory.dmp

memory/2672-129-0x0000000073A70000-0x0000000073B40000-memory.dmp

memory/2672-131-0x0000000002E40000-0x0000000002E5C000-memory.dmp

memory/2672-132-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-133-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-135-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-137-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-139-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-141-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-143-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-145-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-147-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-149-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-151-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-153-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/2672-155-0x0000000002E40000-0x0000000002E55000-memory.dmp

memory/4864-156-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2672-161-0x0000000075B60000-0x0000000075D22000-memory.dmp

memory/2672-163-0x0000000073A70000-0x0000000073B40000-memory.dmp

memory/2672-165-0x0000000000990000-0x0000000001042000-memory.dmp

memory/4864-164-0x0000000006AC0000-0x0000000006AC6000-memory.dmp

memory/4864-166-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/4864-167-0x000000000EAA0000-0x000000000F0A6000-memory.dmp

memory/4864-168-0x000000000E5E0000-0x000000000E6EA000-memory.dmp

memory/4864-169-0x0000000009100000-0x0000000009110000-memory.dmp

memory/4864-170-0x000000000E510000-0x000000000E522000-memory.dmp

memory/4864-171-0x000000000E570000-0x000000000E5AE000-memory.dmp

memory/4864-172-0x000000000E6F0000-0x000000000E73B000-memory.dmp

memory/4864-177-0x000000000E8A0000-0x000000000E916000-memory.dmp

memory/4864-178-0x000000000E9C0000-0x000000000EA52000-memory.dmp

memory/4864-179-0x000000000F5B0000-0x000000000FAAE000-memory.dmp

memory/4864-182-0x000000000F0B0000-0x000000000F116000-memory.dmp

memory/4864-187-0x000000000FE30000-0x000000000FFF2000-memory.dmp

memory/4864-188-0x0000000010530000-0x0000000010A5C000-memory.dmp

memory/4864-303-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/4864-568-0x0000000009100000-0x0000000009110000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

memory/4964-582-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4864-585-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/4964-586-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-587-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-588-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-589-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-590-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-591-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-592-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-593-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-594-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-595-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-596-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

memory/4964-598-0x0000000000350000-0x0000000000AD5000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 ad1349b73cd80792cbefac472b86a1b5
SHA1 84cd400ed80c249d977b361a078cd49a0b42134f
SHA256 40da06497a31c3953eac678a4f3928fcd8ff45f02c8ff68cff55235616152689
SHA512 7a8dab7503b44f156a625677c0286b66df557f1105ca41fe6d8b1aed510d39f38fba1566066943dddf509c3b2b0e148550bb6dea6c51b40463e1ea32ea07dbb1

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 4ac4b0f3872c341ba0fb235799be72bc
SHA1 a2172f6a80e514f769c7fc1aa1a38c5ca6af5199
SHA256 7e632f97d194174dc85b5c0c0288dc1c3907128650b78db680fdcd0ddddb99c0
SHA512 7d9bf8e31bb92c97cff48c32ec588a2f4b73d4e9ff6049a6508b933f27d863a61c9ac2e810998b1c2b70d2990f854f22875fd9af8dcc8e5e0eacb0d2be86ce95

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 ec2509e3fb8e0ab52691ddc31452c5d3
SHA1 7e19e4c8c20139f071fda4ae097ab8524fda25b3
SHA256 98182fe5f3d58cc90d79ec5902769a0162d54bb56a8b0bb529ed48b85bb9bf3c
SHA512 cb9fcc066a680594ed2a95ed96e82e0a3121fad5d88c8d968a9faba8d4f2c3ad675ca72e5799aef7884cafd7665ab3735df719e088719b6f27776709c5ddba3f

memory/4964-603-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

memory/4964-601-0x0000000000350000-0x0000000000AD5000-memory.dmp

memory/4964-605-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

memory/4340-604-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-607-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

memory/4340-608-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-609-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-606-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-610-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-611-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-612-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-613-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-615-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-616-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-618-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-619-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-621-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-622-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-623-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-624-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-625-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-626-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-627-0x0000000000050000-0x00000000007D5000-memory.dmp

memory/4340-628-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

memory/4340-629-0x0000000000050000-0x00000000007D5000-memory.dmp