Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe

  • Size

    1.9MB

  • MD5

    66cb9bf8324c1de0e44b0f376b60ab1c

  • SHA1

    59709e524dd2a2d589a9f548530bb5a682368a01

  • SHA256

    4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e

  • SHA512

    a511be876646d3956d1facad8b5371c26533aaa4e101db3cc974dcdbb2159562bd70d0fdceba12cea08ad00cd14b45d7367d98ba7e8087d19018145dfdb141a6

  • SSDEEP

    24576:GyekufYPXnljXYjIAu/pbifU4EvOAzfVz0dTMA8Ej06EvdxMnJlZXzk0PHDawz6f:G5gPl0CxObEWuIdITEj0XMnTZhLF6

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe
    "C:\Users\Admin\AppData\Local\Temp\4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    778.9MB

    MD5

    a4fe146dfd28b54574fa0717198832e8

    SHA1

    27c842117fb915e835656c4616211ee6d250b1f1

    SHA256

    c9f6542455e55dd5934e1b30be3815453cbb45d8767275b11789b17f11205302

    SHA512

    b54489c60571233e16f489ced1312107672ec0c4bdc0261017b7fa4d1b4feb9e6c2416b05cb28615d8807c5794e3ca65c9267dd180c7252da594f92426b8ab7c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    778.9MB

    MD5

    a4fe146dfd28b54574fa0717198832e8

    SHA1

    27c842117fb915e835656c4616211ee6d250b1f1

    SHA256

    c9f6542455e55dd5934e1b30be3815453cbb45d8767275b11789b17f11205302

    SHA512

    b54489c60571233e16f489ced1312107672ec0c4bdc0261017b7fa4d1b4feb9e6c2416b05cb28615d8807c5794e3ca65c9267dd180c7252da594f92426b8ab7c

    Download Submit
  • memory/1220-150-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-147-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-154-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-142-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-143-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-144-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-146-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-153-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-148-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-149-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-152-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1220-151-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/3800-134-0x00000000026C0000-0x0000000002A90000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/3800-136-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/3800-139-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download