Overview

overview

10

Static

static

1

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-03-2023 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    1.8MB

  • MD5

    f94d6eccab8832b99c98c5bc416e1af0

  • SHA1

    a2072e964c557fbb322f93d554dade226561013d

  • SHA256

    8184da84f2c3efe78c83d045d75e998a5983ca1ec75f57fd6128c9165f236f68

  • SHA512

    61f6c4f1941ec018ae1c2deb7d6e31106130d683d4f06c985b6e3c92233b0303454218fc8351807e70c7bbc4123db4b47fe296153f8c4d87ed0bea17fb8f7079

  • SSDEEP

    49152:8QiGcgi92aIH9Do1ZfWC4wmzu4iOM/Gx:jJKZfWKmzu4O/G

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:732

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    802.8MB

    MD5

    42f54c57fd2f4ca940a2658d025b04b6

    SHA1

    ee8dbeadfae64f687398d4c1126c0b53ea430c22

    SHA256

    83f5562575d0e848ecc7e8be1403f67fe102dbbb8cb528639e419b118a600b40

    SHA512

    7b5fab05848e517a1a21d5d30d5e0bf3d0ded2994667bf1a9c74b5d921dc851da825d38fa4117eb36cb5ba4529ba810242756c880473d9717b362ecff4df68d1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    802.8MB

    MD5

    42f54c57fd2f4ca940a2658d025b04b6

    SHA1

    ee8dbeadfae64f687398d4c1126c0b53ea430c22

    SHA256

    83f5562575d0e848ecc7e8be1403f67fe102dbbb8cb528639e419b118a600b40

    SHA512

    7b5fab05848e517a1a21d5d30d5e0bf3d0ded2994667bf1a9c74b5d921dc851da825d38fa4117eb36cb5ba4529ba810242756c880473d9717b362ecff4df68d1

    Download Submit

  • memory/732-146-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-147-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-141-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-142-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-143-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-145-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-155-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-154-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-148-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-149-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-150-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-151-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-152-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/732-153-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2336-139-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2336-134-0x00000000026B0000-0x0000000002A80000-memory.dmp

    Filesize

    3.8MB

    Download