Resubmissions

24-11-2022 16:33

221124-t22ndsaf9t 10

02-11-2022 14:52

221102-r8qhlacbgq 8

Analysis

  • max time kernel
    32s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 16:33

General

  • Target

    6738634d9b3bfcf7ebca8be48c091b3e.exe

  • Size

    4.8MB

  • MD5

    6738634d9b3bfcf7ebca8be48c091b3e

  • SHA1

    f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

  • SHA256

    8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

  • SHA512

    c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

  • SSDEEP

    49152:cAMzHHGxBRJHrcFFmJAhaShRgxuMY8qa9vjTIt0IEqYjla27/BS5g+A:bMjGxBQFFmJA3Foq+vOEdZZ+A

Score
10/10

Malware Config

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with two variants written in Golang and C#.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6738634d9b3bfcf7ebca8be48c091b3e.exe
    "C:\Users\Admin\AppData\Local\Temp\6738634d9b3bfcf7ebca8be48c091b3e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Windows\system32\cmd.exe
      cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
        3⤵
        • Creates scheduled task(s)
        PID:2012
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7D741315-BB91-42D5-86B8-458F1B13442F} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
      C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
      2⤵
      • Executes dropped EXE
      PID:1272

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe

    Filesize

    4.8MB

    MD5

    6738634d9b3bfcf7ebca8be48c091b3e

    SHA1

    f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

    SHA256

    8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

    SHA512

    c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

  • C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe

    Filesize

    4.8MB

    MD5

    6738634d9b3bfcf7ebca8be48c091b3e

    SHA1

    f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

    SHA256

    8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

    SHA512

    c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

  • \Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe

    Filesize

    4.8MB

    MD5

    6738634d9b3bfcf7ebca8be48c091b3e

    SHA1

    f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

    SHA256

    8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

    SHA512

    c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

  • \Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe

    Filesize

    4.8MB

    MD5

    6738634d9b3bfcf7ebca8be48c091b3e

    SHA1

    f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

    SHA256

    8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

    SHA512

    c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5