Malware Analysis Report

2025-06-16 04:57

Sample ID 230317-y7c97shh47
Target tmp
SHA256 a82b9eff2dde393899dfa05985773fc9d124816b675019a0a8c551d9bb6d4d99
Tags
laplas clipper persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a82b9eff2dde393899dfa05985773fc9d124816b675019a0a8c551d9bb6d4d99

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

laplas clipper persistence stealer

Laplas Clipper

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Program crash

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-17 20:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-17 20:25

Reported

2023-03-17 20:27

Platform

win7-20230220-en

Max time kernel

138s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
NL 45.159.189.105:80 45.159.189.105 tcp

Files

memory/1972-54-0x0000000004590000-0x000000000473A000-memory.dmp

memory/1972-55-0x0000000004740000-0x0000000004B10000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 a0baa2d4e477eb3efa90ec2a61087aae
SHA1 2802d4ba3c7c06642814f7355e4ba91bdabc0149
SHA256 708763265421beb6f2065784633359ad042c26cd3d4951793c697efeb5a78036
SHA512 ee22f242edead83f8eac3ed55056cb75be2ed1aa2ee6ccc9e55f5761ab8bcef6f2f343e0b77fd0ba1d24aa2dde15e6ca91f328000e06253c26ae55b614e6c0d0

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 5725055b7265abc35258f17fd78b3ef9
SHA1 0352eb25a57af1950636df651e5288f60b7a6758
SHA256 b29a85bca1723a7cd5fc5b922241010b1f41616c838a36fdde0d992468fd52dc
SHA512 cd2387e648ee74e5ad6208a3d0991d3e2c34fabf04c75db17c2b45d57e340bef5fc04babc37889e81f1ced0e1f4407cdedfa2bbc53f263b088128220909d17d7

memory/1316-64-0x0000000004550000-0x00000000046FA000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 2ceedbfac70dbb9765733f5289a47742
SHA1 591860b2eef6756fe60c558258bcbc9d63fd2d50
SHA256 745ed34927ef54400d11081f85df47c2870f48e0ca7bbb8b4f377d51dbe4d0c8
SHA512 8623df44062c54905571a9bee177559e46b6071012892198b3b4b616ef81679bbf24ccdb762a22f5a9bb872c1d01a83b70d728bd67637a9f235a3aa4a8d24af6

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 df1ce70355778c74b30b6b87fb476446
SHA1 63b7c45c48d0e11149e97e2d394379069072f903
SHA256 61b2dc5fa1768117abeadbbca982ebf57217b74dae8bb12fcaf6648c67518469
SHA512 7640b68fc81665f8387b13905033b857e57c165a381b3f51ad2951896c9b726dac376e04fc10ab12ab526e36906b9f3f2ef2ad2b698ad5fd6c6d49cf97ac2d6e

memory/1316-66-0x0000000004700000-0x0000000004AD0000-memory.dmp

memory/1972-65-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-67-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-68-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-69-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-72-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-73-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-74-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-75-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-76-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-77-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-78-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-79-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-80-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1316-81-0x0000000000400000-0x0000000002C8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-17 20:25

Reported

2023-03-17 20:28

Platform

win10v2004-20230220-en

Max time kernel

153s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1604 -ip 1604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 480

Network

Country Destination Domain Proto
DE 162.19.139.184:2222 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 45.159.189.105:80 45.159.189.105 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.189.159.45.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 33.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 55.154.139.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp

Files

memory/1604-134-0x0000000004C40000-0x0000000005010000-memory.dmp

memory/1604-135-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1604-137-0x0000000000400000-0x0000000002C8E000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 f64d800c5b626846bdc6527ec2574ad5
SHA1 ae333064b24138b51c84084f543249e5e238c2e6
SHA256 ea15d2e1ff530b925f6ef6aad7c1c3cc6851efb58400a85b524d508fc4942c4a
SHA512 dd8138fecb6f8bb9165e2686937ce826b6e226f0becfb3c18a77644cbed35a907d0b435704828be21e2c65f661b916c4bbeefb9a4c703338222e74abad638030

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 3cb8de55db567e5b04a46dc240d29fa8
SHA1 d3840a7d22395ac41451fe56a47242a39db72e4d
SHA256 0f4437e7667a8e36ecd60f8b439baf40360d451b134de9630dd525d6ead1ad7d
SHA512 62017f91fae75fbfffc93d458a4b49e7830cf16b508f8e61e4c1922fc2690c83bf7b094577cef22ce0da417be4ade279bdc3021482f5f5484064ab393d263e5d

memory/1268-142-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1604-143-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-144-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-145-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-146-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-147-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-148-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-150-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-151-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-152-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-153-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-154-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-155-0x0000000000400000-0x0000000002C8E000-memory.dmp

memory/1268-156-0x0000000000400000-0x0000000002C8E000-memory.dmp