General

  • Target

    ValorantExternal.rar

  • Size

    288KB

  • Sample

    230730-3rbtnabg59

  • MD5

    3b72a6143fa448c144f1cc58e29b851a

  • SHA1

    eec0b4e9c00bce20f8b34966f5734eb39ad4896f

  • SHA256

    504aaf3fbd4d0aa32fe7deebd06533d6d1b673c02ad0dd334cc9b351afe1263a

  • SHA512

    8d3507c1ae0173a56e8aa04ba8ddda33204e7dd86d513bbdd6a77557798ba3f108980dd953053bed55657305a215b92f0ef5a0be23acb2d0fde0e17f05f118cc

  • SSDEEP

    6144:+Yz8bSlTzhOh2UJ4a740EmpA7kvbp4grZHpYSSZOS8ytqxLbG:+Y6S9zu3Jb77E1kjHBZSZ7tqxLbG

Malware Config

Extracted

Family

redline

Botnet

@wtflooool

C2

94.142.138.4:80

Attributes
  • auth_value

    73b07b01031cf6f2730ccdf9b9448a33

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

    • Target

      ValorantExternal v3.4.1.exe

    • Size

      978KB

    • MD5

      c36eae4946702af2ff4896cc89f13823

    • SHA1

      7b136099fa2e6ef706bb88d0ba7c69b4386705a1

    • SHA256

      55b003f9fc3a0c8b538d04701cb2fb57441bdd24144b69f258eb1df7b74de79e

    • SHA512

      308cdfe1fb9034f98bf5726608d427e6b3c25656eee5c4003ec0399ea022b88f40b87c4f4acff823f39278237457e93c93f439259212e5d4fd207c2b598292e9

    • SSDEEP

      12288:me9LrhpIF+G5PMZ619CsajupXmzrgSyszQuUg4sEnduzzercMgO4WvN3NMoqd:p9fhpIwG5PMZ6pgQuUgUnOzU3NB

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks