Overview

overview

10

Static

static

1

avicapn32.exe

windows7-x64

10

avicapn32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2023 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    avicapn32.exe

  • Size

    8.6MB

  • MD5

    8d7cf73ce0624c89820492186e81268e

  • SHA1

    f43f83b11e6e4b850297443a30803f72cef99489

  • SHA256

    2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29

  • SHA512

    2bc53e07e6d5d6b4267430011943824590001d8c341a5ccffb2260fc26fa1693d4a146f27a26a579450f822c5998551dfda50814e0b24d4cba8c903ccd8289cd

  • SSDEEP

    196608:dCFM0/NuKzJqwRCCuNhH8DuSHVKiPxtgDe/3jyAan7Ftnl+6+GVp7:KMMsA3U4t1HDOAI7T7

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.223

Attributes
  • api_key

    afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\avicapn32.exe
    "C:\Users\Admin\AppData\Local\Temp\avicapn32.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    759.6MB

    MD5

    c82a2c38076c9cb1f8492fae9bfc5a60

    SHA1

    1c8f596839f48614240a4d5316b1d084d83e8814

    SHA256

    f00bef85a23fa4c15ce7d38e00c9647213ea13556149f66e5d08d2b9bae241ad

    SHA512

    5120b6a258f5185636141d701961fe0a4a22e052fdd7a171fb2ce15a8a3ec75f8fb2e0a89cace61fe3a3d50a528e7e552994b053eabab4b226b56ba66595a84e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    759.6MB

    MD5

    c82a2c38076c9cb1f8492fae9bfc5a60

    SHA1

    1c8f596839f48614240a4d5316b1d084d83e8814

    SHA256

    f00bef85a23fa4c15ce7d38e00c9647213ea13556149f66e5d08d2b9bae241ad

    SHA512

    5120b6a258f5185636141d701961fe0a4a22e052fdd7a171fb2ce15a8a3ec75f8fb2e0a89cace61fe3a3d50a528e7e552994b053eabab4b226b56ba66595a84e

    Download Submit

  • memory/3748-143-0x0000000003A00000-0x0000000003E03000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3748-150-0x0000000003A00000-0x0000000003E03000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3748-133-0x00000000017E0000-0x00000000017E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3748-144-0x0000000003A00000-0x0000000003E03000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3748-145-0x0000000003A00000-0x0000000003E03000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3748-146-0x0000000003A00000-0x0000000003E03000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3748-136-0x00000000035A0000-0x00000000035A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3748-137-0x0000000003A00000-0x0000000003E03000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3748-134-0x0000000000440000-0x0000000001367000-memory.dmp

    Filesize

    15.2MB

    Download

  • memory/4532-155-0x0000000001540000-0x0000000001541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4532-156-0x00000000000D0000-0x0000000000FF7000-memory.dmp

    Filesize

    15.2MB

    Download

  • memory/4532-159-0x00000000035C0000-0x00000000039C3000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4532-165-0x00000000035C0000-0x00000000039C3000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4532-166-0x00000000035C0000-0x00000000039C3000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4532-167-0x00000000035C0000-0x00000000039C3000-memory.dmp

    Filesize

    4.0MB

    Download