General

  • Target

    RedLineStealer.zip

  • Size

    2.2MB

  • Sample

    230726-j7wn8aah7t

  • MD5

    23e576cf3374a423b059a59bdaee70ec

  • SHA1

    00e059bbb45fb3db60b9e053120c14cd26cc6e76

  • SHA256

    f21acb874360a1bf19ca35523d521c765a85cee57ef3992032bcb0d5743888e7

  • SHA512

    a2dc1e596ab199b44d907ddf61affdf7631983edf7103e85a3a91aa793515608277c3350024e7e3c078f1f5abdcf58d7337d92dc1948c69103d974e01a2f6a6c

  • SSDEEP

    49152:FgRl7NbO4FM6P+jRn48HKnDq1Uztw6Y/bRmAcL:SX7NbnFM62jp48HEe2zttsbR6

Malware Config

Extracted

Family

redline

Botnet

150723_rc_11

C2

rcam15.tuktuk.ug:11290

Attributes
  • auth_value

    0b3645317afbcac212f68853bb45b46d

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Targets

    • Target

      753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe

    • Size

      2.3MB

    • MD5

      9b06361b484531e8d71b64fbb32534d9

    • SHA1

      6c47e8bfaf1b82c57c861312f1fe130cc5e21c96

    • SHA256

      753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd

    • SHA512

      dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb

    • SSDEEP

      49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks