Malware Analysis Report

2025-06-16 04:57

Sample ID 230317-x19t6abf8s
Target a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951
SHA256 a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951
Tags
laplas clipper persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951

Threat Level: Known bad

The file a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951 was found to be: Known bad.

Malicious Activity Summary

laplas clipper persistence stealer

Laplas Clipper

Executes dropped EXE

Adds Run key to start application

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-17 19:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-17 19:20

Reported

2023-03-17 19:22

Platform

win10-20230220-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe

"C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
LV 45.87.154.105:80 45.87.154.105 tcp
US 8.8.8.8:53 105.154.87.45.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp

Files

memory/1604-122-0x0000000004B50000-0x0000000004F20000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 07401a9e721605db5a17d00d9bf58e2a
SHA1 dbdb00f88bfff661e6ca754c55ad7068ccf93fd2
SHA256 b336e61f13b2b7488801e369065e681270a86b4834220e96a9061a8b78359d7a
SHA512 97a44772d753f31a3fd96539d6fbbe37f7733e18c1e664c8b74d72982535141c544fb672cd86548b2696c1315ef3643d99fb692b6bd85b1fe735317d4ff9adf1

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 22ab87ce33d709bc1320ebe30363ebbe
SHA1 36fb0b5006dce17ed5eda305fdd796ee49c61d6b
SHA256 8eff538637551ad45a67a2230e33636fce248d0badf9df0b0cfba00fe0c52dc6
SHA512 737a591930a33e9a2078f33b0bd3adb0c0a9ef877eebfe13093a074acfe7d474b1f6e541cabaca867b031d79979f86674ae47f70575a815b168e56a54de6afea

memory/1604-128-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-129-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-130-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-131-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-133-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-134-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-135-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-136-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-137-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-138-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-139-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-140-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-141-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-142-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/2016-143-0x0000000000400000-0x0000000002C8F000-memory.dmp