General

  • Target

    ZenSoft.rar

  • Size

    54.2MB

  • Sample

    230729-t8as9afa5z

  • MD5

    f7bdc29a955a12a8975bac449271dfd8

  • SHA1

    c738f0e008f1e905f044eab5b669536351dafa42

  • SHA256

    9f706ef0f596b25a281b45ce2e0ebb4fa0fb32b53d3e6e386fc5bdda68f46930

  • SHA512

    8e64503b4e589351fb69087fb905d65abb801c29f7dc2d53c8adc4d1ad2b6fa302a4a998056b543a9296196debc67efe199c49ad8ee6a93e6688b3962bc10af9

  • SSDEEP

    1572864:SqHWHOX360DCRDHzD6i4k6i7g1sv3yC4aivYQEDJkg+i:IuH60DI76jk97CO3y2ivsDyu

Malware Config

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

    • Target

    • Size

      31.4MB

    • MD5

      693ce587757ecfb4a2ad9a0b7ed69c46

    • SHA1

      f26ff05fd9e51040227f3c17c9a1859f184b3ffb

    • SHA256

      c67d53bf5609737cb35b19b696f229f0fbd513fbabfad33a3c93850a23ab1ea5

    • SHA512

      e1df3e3d96008ae38daf6f57cafdb41f1d53915d716e0c93e727f149254e56cfca4efb437be5819b6ce69956e8e36b50a69a2e769a36262e924da4e085a2ee8f

    • SSDEEP

      786432:fxJxyhzJySNqxsDM09U3lHyetJ60ak9Xw1v:1ytJPNq2DMzzO0ak9Xev

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks