Malware Analysis Report

2024-10-19 01:10

Sample ID 230730-pe6xdaab31
Target 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e
SHA256 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e
Tags
themida laplas redline 300723_rc clipper evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e

Threat Level: Known bad

The file 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e was found to be: Known bad.

Malicious Activity Summary

themida laplas redline 300723_rc clipper evasion infostealer persistence spyware stealer trojan

Laplas Clipper

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Themida packer

Executes dropped EXE

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-30 12:15

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-30 12:15

Reported

2023-07-30 12:18

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe"

Signatures

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1884 set thread context of 1368 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1368 wrote to memory of 4100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 1368 wrote to memory of 4100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 4100 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 4100 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe

"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 rc3007.tuktuk.ug udp
NL 85.209.3.9:11290 rc3007.tuktuk.ug tcp
US 8.8.8.8:53 9.3.209.85.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 45.66.230.149:80 45.66.230.149 tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/1884-133-0x0000000000AD0000-0x0000000001174000-memory.dmp

memory/1884-134-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-135-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-136-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-137-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-138-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-139-0x0000000077204000-0x0000000077206000-memory.dmp

memory/1884-143-0x0000000000AD0000-0x0000000001174000-memory.dmp

memory/1884-144-0x00000000058A0000-0x000000000593C000-memory.dmp

memory/1884-145-0x0000000000AD0000-0x0000000001174000-memory.dmp

memory/1884-146-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-147-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-148-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-150-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-151-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1884-152-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-153-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-155-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-157-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-159-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-161-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-163-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-165-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-167-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-169-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-171-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-173-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1884-175-0x00000000034B0000-0x00000000034C5000-memory.dmp

memory/1368-176-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1368-179-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1884-180-0x0000000000AD0000-0x0000000001174000-memory.dmp

memory/1884-181-0x0000000075870000-0x0000000075960000-memory.dmp

memory/1368-182-0x000000000B020000-0x000000000B638000-memory.dmp

memory/1368-183-0x000000000AB50000-0x000000000AC5A000-memory.dmp

memory/1368-184-0x0000000005570000-0x0000000005580000-memory.dmp

memory/1368-185-0x000000000AA90000-0x000000000AAA2000-memory.dmp

memory/1368-186-0x000000000AAF0000-0x000000000AB2C000-memory.dmp

memory/1368-187-0x000000000AE20000-0x000000000AE96000-memory.dmp

memory/1368-188-0x000000000AF40000-0x000000000AFD2000-memory.dmp

memory/1368-189-0x000000000BBF0000-0x000000000C194000-memory.dmp

memory/1368-190-0x000000000B780000-0x000000000B7E6000-memory.dmp

memory/1368-191-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1368-192-0x0000000005570000-0x0000000005580000-memory.dmp

memory/1368-193-0x000000000C370000-0x000000000C532000-memory.dmp

memory/1368-194-0x000000000CA70000-0x000000000CF9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 b30e29bccabab032c27910210d9ccf76
SHA1 caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512 ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 b30e29bccabab032c27910210d9ccf76
SHA1 caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512 ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 b30e29bccabab032c27910210d9ccf76
SHA1 caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512 ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8

memory/4100-206-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/1368-208-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4100-209-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp

memory/4100-210-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-211-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-212-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-213-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-214-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-215-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-216-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-217-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-218-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-219-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-221-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-222-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-223-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 35d5fd2785fbed0c5f1bb13c9e66fa9d
SHA1 ce1d2035def13bb5d8b0a5a90ce09ac0a71f557a
SHA256 eaf33ae6b97334c4aff43aeb43014f231eac0ac911915334f99c90da1bb0a418
SHA512 82a7b1d8329076956f503742d4ced67e83ed7fc048ef51d535933ab061db5b473e202d06ddd19072300ea7454a5cf753f4d3670ee53a53f6a0ed61dc675379c7

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 35d5fd2785fbed0c5f1bb13c9e66fa9d
SHA1 ce1d2035def13bb5d8b0a5a90ce09ac0a71f557a
SHA256 eaf33ae6b97334c4aff43aeb43014f231eac0ac911915334f99c90da1bb0a418
SHA512 82a7b1d8329076956f503742d4ced67e83ed7fc048ef51d535933ab061db5b473e202d06ddd19072300ea7454a5cf753f4d3670ee53a53f6a0ed61dc675379c7

memory/4100-226-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/4100-228-0x0000000000FE0000-0x000000000187B000-memory.dmp

memory/2232-230-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/4100-229-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp

memory/2232-231-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp

memory/2232-232-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-233-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-234-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-235-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-237-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-239-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-241-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-242-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-243-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-244-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-245-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-246-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-247-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-248-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-250-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-251-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-252-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-253-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp

memory/2232-254-0x0000000000360000-0x0000000000BFB000-memory.dmp

memory/2232-255-0x0000000000360000-0x0000000000BFB000-memory.dmp