General

  • Target

    raid macro3.rec

  • Size

    3KB

  • Sample

    230725-qhnewacf47

  • MD5

    1a547e53666cd4dc83c1dd9e884a3016

  • SHA1

    86fbae155d5c1bf4793d5ed89f550faa80e09566

  • SHA256

    a0a24efa02d4462fc7bbe2e322b4c82e4ff1f9e4194a0a86eea566302bec2021

  • SHA512

    9b96170af49eb5095a81515dbfbe1ecedfc3a5f74b99f02e5a42213f4471171cc9c4aa918fa7e33bc8ada1904465411b70868dc3f634798a5020ecaf96291e62

Malware Config

Extracted

Family

redline

Botnet

@LJAGYXA

C2

94.142.138.4:80

Attributes
  • auth_value

    9aec37c9a7a88796e19438759b1463d3

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

    • Target

      raid macro3.rec

    • Size

      3KB

    • MD5

      1a547e53666cd4dc83c1dd9e884a3016

    • SHA1

      86fbae155d5c1bf4793d5ed89f550faa80e09566

    • SHA256

      a0a24efa02d4462fc7bbe2e322b4c82e4ff1f9e4194a0a86eea566302bec2021

    • SHA512

      9b96170af49eb5095a81515dbfbe1ecedfc3a5f74b99f02e5a42213f4471171cc9c4aa918fa7e33bc8ada1904465411b70868dc3f634798a5020ecaf96291e62

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks