General

  • Target

    Setup.exe

  • Size

    252KB

  • Sample

    230730-xvzf8sca3s

  • MD5

    5c7f9d0b24be08ca274624f012c82510

  • SHA1

    760f0cea24d347c00c590bfb1ab1ff59263dd45c

  • SHA256

    2982f67659fb27745ea81b58ec615894e864ccc3fac375173d7911e6018f01e6

  • SHA512

    c2188d8bfc2c16452452c6947d61b2c9dd9ecf055c6a16e9a9f514339cd9368ca22e0c85591e4f9fcf605cf02f545d4dac0106e0cd092b2dd4c4e8eec5229c1e

  • SSDEEP

    6144:E1ym+lc0jWtxg3FSwC76VtloLQnfbUyz24q9wS7+:g2lrsxg3FSwC76VfHp2/A

Malware Config

Extracted

Family

redline

Botnet

@prsvt6666

C2

94.142.138.4:80

Attributes
  • auth_value

    87d1997a564fa7581db209cc71c07a4e

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Targets

    • Target

      Setup.exe

    • Size

      252KB

    • MD5

      5c7f9d0b24be08ca274624f012c82510

    • SHA1

      760f0cea24d347c00c590bfb1ab1ff59263dd45c

    • SHA256

      2982f67659fb27745ea81b58ec615894e864ccc3fac375173d7911e6018f01e6

    • SHA512

      c2188d8bfc2c16452452c6947d61b2c9dd9ecf055c6a16e9a9f514339cd9368ca22e0c85591e4f9fcf605cf02f545d4dac0106e0cd092b2dd4c4e8eec5229c1e

    • SSDEEP

      6144:E1ym+lc0jWtxg3FSwC76VtloLQnfbUyz24q9wS7+:g2lrsxg3FSwC76VfHp2/A

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks