Overview

overview

10

Static

static

1

21bf75dfd6...2b.exe

windows7-x64

10

21bf75dfd6...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe

  • Size

    1.9MB

  • MD5

    c8fa0087f27ed56934adf9f106755304

  • SHA1

    ae27342a17c8bc32a68f6e68436a6ae380f90ed9

  • SHA256

    21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b

  • SHA512

    1401f941d8a0e06ef5754e8c2bc36930ffa121fa99759c4b90d031e191a107903a115ad9b2f67d08c6082d3c0850e94ef7cd9b4659264af85ae691ee0d5d8b0d

  • SSDEEP

    49152:zWrbeHdtxdC968KLFVvLw5xs0baRMJ1K4yo:zW+Hdt/861LFVLuGkyo

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe
    "C:\Users\Admin\AppData\Local\Temp\21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:4272

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    35.2MB

    MD5

    deccfd6a0c8c9654e9e9773683382b65

    SHA1

    5f9f1a7345fbc9b70c4e72c49133c24010b330c1

    SHA256

    ed884aa47f393eb712bbf6ad6b2b7283fc4633a4c92aefbaafc21875bf2a715b

    SHA512

    6afe86da5749fb2ec2f12735cd6268955dd40c57a02ca86ad34604c98a1bc1ec05d513b4a77b78321b7520acc3d83c6f24a32a640e7cfe0211a9c97ceca7aba5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    35.4MB

    MD5

    92cd18b320394915f6ca0e88c0baebb3

    SHA1

    2c131b5ceb6faeefd2c1b5d944d5f0275288125a

    SHA256

    b1baa6359c625fa3f229490ce939d594ea190192aea9f27f5382c05180e1dc46

    SHA512

    c2574b9aa16728088eef46d33295c95535bb0d495e9d38ce3343599dead4b00c4eaa97dc9e7e24d859a67daccc0a9c93ca6590f835ff3d4700521f7a59c14bd3

    Download Submit

  • memory/4272-151-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-156-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-142-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-144-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-145-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-146-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-155-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-149-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/4272-153-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/5032-134-0x0000000004D20000-0x00000000050F0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/5032-136-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download

  • memory/5032-139-0x0000000000400000-0x0000000002C8D000-memory.dmp

    Filesize

    40.6MB

    Download