Overview

overview

10

Static

static

1

Git2.zip

windows7-x64

7

Git2.zip

windows10-2004-x64

10

Git2/GUI_M...TA.exe

windows7-x64

8

Git2/GUI_M...TA.exe

windows10-2004-x64

1

Git2/clifd...er.exe

windows7-x64

5

Git2/clifd...er.exe

windows10-2004-x64

10

Git2/sdfsdfs.exe

windows7-x64

5

Git2/sdfsdfs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    515s
  • max time network
    518s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    19-03-2023 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Git2/clifdthjsjkdgaoker.exe

  • Size

    7.5MB

  • MD5

    fb0deff37fe12bbc4f0c1fe21e2d15ef

  • SHA1

    180325b8b6e64638e167601c67cd9c53331ba9f6

  • SHA256

    ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

  • SHA512

    9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

  • SSDEEP

    196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.174.137.94

Attributes
  • api_key

    b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Git2\clifdthjsjkdgaoker.exe
    "C:\Users\Admin\AppData\Local\Temp\Git2\clifdthjsjkdgaoker.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3852

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\online[1].txt
    Filesize

    2B

    MD5

    444bcb3a3fcf8389296c49467f27e1d6

    SHA1

    7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

    SHA256

    2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

    SHA512

    9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\regex[1].txt
    Filesize

    633B

    MD5

    c5298d2c78be8fdfc264eb6fe3e275f8

    SHA1

    f09de5f443da081efaff0155f422ca0375edd164

    SHA256

    de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

    SHA512

    5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    796.5MB

    MD5

    f008279b51ce867ac4c6746b31053fd3

    SHA1

    a12302e5545aca155c995c4971666cebaf972b7c

    SHA256

    a5ef0f84de3a36bd4d911d34fa1ceefd2eaab150b9747efeffe3cf3b53bab473

    SHA512

    0197fa09f0f2b30a062900b492c5533fa345667feca308b9d6561fb5ecf70a0bf3d3e9550f7d38568011870fceee78252c9ddc2def8858815bceba0678a3953c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    796.5MB

    MD5

    f008279b51ce867ac4c6746b31053fd3

    SHA1

    a12302e5545aca155c995c4971666cebaf972b7c

    SHA256

    a5ef0f84de3a36bd4d911d34fa1ceefd2eaab150b9747efeffe3cf3b53bab473

    SHA512

    0197fa09f0f2b30a062900b492c5533fa345667feca308b9d6561fb5ecf70a0bf3d3e9550f7d38568011870fceee78252c9ddc2def8858815bceba0678a3953c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    796.5MB

    MD5

    f008279b51ce867ac4c6746b31053fd3

    SHA1

    a12302e5545aca155c995c4971666cebaf972b7c

    SHA256

    a5ef0f84de3a36bd4d911d34fa1ceefd2eaab150b9747efeffe3cf3b53bab473

    SHA512

    0197fa09f0f2b30a062900b492c5533fa345667feca308b9d6561fb5ecf70a0bf3d3e9550f7d38568011870fceee78252c9ddc2def8858815bceba0678a3953c

    Download Submit

  • memory/2368-138-0x0000000003670000-0x0000000003671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-139-0x0000000003680000-0x0000000003681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-140-0x0000000003690000-0x0000000003691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-141-0x0000000000960000-0x000000000150B000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/2368-133-0x00000000019D0000-0x00000000019D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-137-0x0000000003660000-0x0000000003661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-136-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-134-0x0000000001B70000-0x0000000001B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-135-0x0000000001B90000-0x0000000001B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3852-156-0x00000000013C0000-0x00000000013C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3852-158-0x00000000013F0000-0x00000000013F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3852-159-0x0000000001400000-0x0000000001401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3852-160-0x0000000001410000-0x0000000001411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3852-161-0x0000000001420000-0x0000000001421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3852-162-0x0000000001430000-0x0000000001431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3852-163-0x00000000001E0000-0x0000000000D8B000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/3852-157-0x00000000013D0000-0x00000000013D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3852-155-0x0000000001360000-0x0000000001361000-memory.dmp

    Filesize

    4KB

    Download