Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.9MB

  • MD5

    85a5e1cf0fe1fd7647a3aea9c9bfc899

  • SHA1

    c834a3b50c982dfc91fd5bd2451ce1dbe0ac4c58

  • SHA256

    c4e0c474010d9ecdcef21ad9d656c28ad11e89c6a213d015692c2424e7e75773

  • SHA512

    80ef2f871887e7bf76e9df9edf6f1b941e9f566b9a69afebe4c0d37f6592e620788b074ad469085136f03bedcebac93d20bda18a581c767faf43975818514290

  • SSDEEP

    49152:fyXUsF6XUSHfAp6AR2hlSTmnowstL/8A2:fwiUSHpPkTkwL/8H

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:2024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    537.0MB

    MD5

    0dcf513f1c4320e2f4d1e81ce871fe9a

    SHA1

    ff30db38f756ae0c473ace8b97fea36d319f37c7

    SHA256

    d1d25b2352550fad352c6d38a69f6e6e13e9bd5af039b384a13a879fe55055ea

    SHA512

    e722b4dc8e6a4bb1c50575517544a52dd992be3d7e628bf5f2228601b2091aae49264ac1363c853fc007b93f64dc62bb1b9de5c52c777c21a63a711bd575f374

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    501.3MB

    MD5

    75e81462c2b56ab8131529b8b0520af9

    SHA1

    02491b148d29f648b67f6d936134aadc3459c020

    SHA256

    84069dfbef0932ff23d13060d0e75dbc94e61570bcabf837cd7be13a9c1bb1aa

    SHA512

    a42b8a95dc8f40b4f93a320676840b279f70bf3a910793a435bd899d72129bc02abd436d575a74af6036f72b925a61166edbdcb3671ba85505a2fddc0962799f

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    343.5MB

    MD5

    dcda93621809bd2ad58b3599b7eed8b2

    SHA1

    21ab497bc523ac01ab241eb35143637ad2a2a94a

    SHA256

    423e3e9412df0aa8a20fd88f876254bf8427c64adb12e4ad8631bdb0d8dc647c

    SHA512

    b7f2a56a814a1b500aa3cf89a23e44de90ccce9e3a0e9a04be0370a147bfe669f419ec430178660c110aac31bac31adcc90d2aef02a0fa1e7237d893027ae433

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    558.3MB

    MD5

    43acfcbd21e4ddb478f5abc4f2266ff4

    SHA1

    77158a119d550a72f085630fb9ad656762bee581

    SHA256

    8c94d5b8db12c6ed7bbc44eb0f70c47ce101eac904b72909eedb592999ddcdfe

    SHA512

    e406b7cf7d635f609e0384c5d9839b5ba599344f9f8304af82e96b128f9c74fb277eb37b02ce5c606f9976b0f65a9130b4690195fceebadd6661f7ff09620146

    Download Submit

  • memory/1808-65-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1808-55-0x0000000002260000-0x0000000002630000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1808-54-0x0000000002090000-0x000000000223A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2024-70-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-74-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-67-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-64-0x00000000020E0000-0x000000000228A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2024-71-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-72-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-73-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-66-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-75-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-76-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-77-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-78-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-79-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2024-80-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download