laplas | 82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24

Analysis

max time kernel
17s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe2457d4da43adde492576a91398086e.exe
Size

8.6MB
MD5

fe2457d4da43adde492576a91398086e
SHA1

8c7c1efd47044f1d31cee78ea6c73df1a9296dea
SHA256

82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
SHA512

b16fcdf02fe6e9f148d40cc04529840c98065bc2b69e144ff33e82c8285134b3e2c5e832c659132f8a99885e2b02589e2474f4d93b3bcef750ea1f2a64ffaf1a
SSDEEP

49152:pKnK6YN8UMtKNKogIHvueIxgfSZJxUu3INODRUgeCseICR7NWm8qpHakXvLQh0/o:on1YN8dKNcJxtISeCrXv0W/qpDRX5L

Score

10^/10

laplas redline fm clipper infostealer stealer

Malware Config

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

redline

Botnet

91.193.43.63:81

Attributes

auth_value
686ed4f5bce1c0303019c1940beddd78

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	fe2457d4da43adde492576a91398086e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Shelds32.exe

Executes dropped EXE 4 IoCs

pid	Process
5064	c1.exe
1736	Shelds32.exe
384	f1.exe
2376	m1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 4680	384	f1.exe	91
PID 2376 set thread context of 4660	2376	m1.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5024	384	WerFault.exe	90
560	2376	WerFault.exe	89

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	61	Go-http-client/1.1

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 5064	2276	fe2457d4da43adde492576a91398086e.exe	87
PID 2276 wrote to memory of 5064	2276	fe2457d4da43adde492576a91398086e.exe	87
PID 2276 wrote to memory of 5064	2276	fe2457d4da43adde492576a91398086e.exe	87
PID 2276 wrote to memory of 1736	2276	fe2457d4da43adde492576a91398086e.exe	88
PID 2276 wrote to memory of 1736	2276	fe2457d4da43adde492576a91398086e.exe	88
PID 2276 wrote to memory of 1736	2276	fe2457d4da43adde492576a91398086e.exe	88
PID 1736 wrote to memory of 2376	1736	Shelds32.exe	89
PID 1736 wrote to memory of 2376	1736	Shelds32.exe	89
PID 1736 wrote to memory of 2376	1736	Shelds32.exe	89
PID 1736 wrote to memory of 384	1736	Shelds32.exe	90
PID 1736 wrote to memory of 384	1736	Shelds32.exe	90
PID 1736 wrote to memory of 384	1736	Shelds32.exe	90
PID 384 wrote to memory of 4680	384	f1.exe	91
PID 384 wrote to memory of 4680	384	f1.exe	91
PID 384 wrote to memory of 4680	384	f1.exe	91
PID 384 wrote to memory of 4680	384	f1.exe	91
PID 384 wrote to memory of 4680	384	f1.exe	91
PID 2376 wrote to memory of 4660	2376	m1.exe	94
PID 2376 wrote to memory of 4660	2376	m1.exe	94
PID 2376 wrote to memory of 4660	2376	m1.exe	94
PID 2376 wrote to memory of 4660	2376	m1.exe	94
PID 2376 wrote to memory of 4660	2376	m1.exe	94

C:\Users\Admin\AppData\Local\Temp\fe2457d4da43adde492576a91398086e.exe
"C:\Users\Admin\AppData\Local\Temp\fe2457d4da43adde492576a91398086e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe
  "C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe"
  2⤵
  - Executes dropped EXE
  PID:5064
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    PID:8496
- C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe
  "C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 340
      4⤵
      Program crash
      PID:560
- - C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 336
      4⤵
      Program crash
      PID:5024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "fe2457d4da43adde492576a91398086e.exe"
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 384 -ip 384
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2376 -ip 2376
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
63.2MB

MD5
014766c6abc414bfb281306a00cdb06b

SHA1
eef0a201414f51a641a6c8ba5c7197bd5a84c333

SHA256
972322be053e1d9d3675130aadfbf8234c1783851254946b03664af48c136c6c

SHA512
7a270d435f588c00be173f868c12045efc86f52554561755c7d83ff05479c0df6151106d914118b4f1846890c65c22cde74e7f6fc8c31c3f2065c873bc04e803

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
103.3MB

MD5
f240f8cf26a075d5b3b779109ba22186

SHA1
3a6e9760a7738d4172393c47d0863dd8141f578b

SHA256
daccb925486b9741c0666f1ea74e653ee28e134b97587902151b69422c1abacd

SHA512
5365aa82eb0ec4e4492fc5b9e7e00380221e35df344ce4e47a0908cac459332d10ee871c9013f05e4bf88c89819a169f2c76648d82cf45b9518a234440ec6baa

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe

Filesize
4.8MB

MD5
b3492f2a3f077b285966e8190d95a7d9

SHA1
ac1ebd096d80a41f6ea19aff2607259183ac649a

SHA256
761b483f0c0322092784e53bfcbe66bfc95a4ce7fb7842a8b639629cfe5073f3

SHA512
d360296106253d9d525bd54a215a9aca815a665ba43eaa357e906428ee744f13f54fbfd9d07abb9cb621ef6a799a37bc7cf0fbff22022e31fe811abf8ed9dfea

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe

Filesize
4.8MB

MD5
b3492f2a3f077b285966e8190d95a7d9

SHA1
ac1ebd096d80a41f6ea19aff2607259183ac649a

SHA256
761b483f0c0322092784e53bfcbe66bfc95a4ce7fb7842a8b639629cfe5073f3

SHA512
d360296106253d9d525bd54a215a9aca815a665ba43eaa357e906428ee744f13f54fbfd9d07abb9cb621ef6a799a37bc7cf0fbff22022e31fe811abf8ed9dfea

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe

Filesize
4.8MB

MD5
b3492f2a3f077b285966e8190d95a7d9

SHA1
ac1ebd096d80a41f6ea19aff2607259183ac649a

SHA256
761b483f0c0322092784e53bfcbe66bfc95a4ce7fb7842a8b639629cfe5073f3

SHA512
d360296106253d9d525bd54a215a9aca815a665ba43eaa357e906428ee744f13f54fbfd9d07abb9cb621ef6a799a37bc7cf0fbff22022e31fe811abf8ed9dfea

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe

Filesize
3.8MB

MD5
0a0b3aacdc321a1612d01e285993250b

SHA1
802205c8d1e0a1b6d203815df513fabb4948ad8c

SHA256
4b7b83c99991371b9756ff91ec07abfbbc1c0cc17caf422e6ecd062f2d84cf9a

SHA512
03c4bbe0778b5e839f8e2b09ab189676ef0ed40ee7d098c49575b63ea42bba82ba56dd88d7783e4c4970d20e13debfc5c27556513aac6811264c77211962eb62

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe

Filesize
3.8MB

MD5
0a0b3aacdc321a1612d01e285993250b

SHA1
802205c8d1e0a1b6d203815df513fabb4948ad8c

SHA256
4b7b83c99991371b9756ff91ec07abfbbc1c0cc17caf422e6ecd062f2d84cf9a

SHA512
03c4bbe0778b5e839f8e2b09ab189676ef0ed40ee7d098c49575b63ea42bba82ba56dd88d7783e4c4970d20e13debfc5c27556513aac6811264c77211962eb62

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe

Filesize
3.8MB

MD5
0a0b3aacdc321a1612d01e285993250b

SHA1
802205c8d1e0a1b6d203815df513fabb4948ad8c

SHA256
4b7b83c99991371b9756ff91ec07abfbbc1c0cc17caf422e6ecd062f2d84cf9a

SHA512
03c4bbe0778b5e839f8e2b09ab189676ef0ed40ee7d098c49575b63ea42bba82ba56dd88d7783e4c4970d20e13debfc5c27556513aac6811264c77211962eb62

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe

Filesize
1.3MB

MD5
6fbb68ec3f04b2961b81c9c4bb591b18

SHA1
cc215398392070b62ac0edb951804f8c76630d08

SHA256
0ab25294685dfc422eb597698b11442e8cf4afb44bea0cd6305477f8a0f5d904

SHA512
189bc24be8bf4abd19ea4f2b8262a55b7e8665dc0d04474cf868b997ef31bb438813f1bdf87b4f54adafef7184b74ed943ca22ec027d05206beb2deb5bdf0e39

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe

Filesize
1.3MB

MD5
6fbb68ec3f04b2961b81c9c4bb591b18

SHA1
cc215398392070b62ac0edb951804f8c76630d08

SHA256
0ab25294685dfc422eb597698b11442e8cf4afb44bea0cd6305477f8a0f5d904

SHA512
189bc24be8bf4abd19ea4f2b8262a55b7e8665dc0d04474cf868b997ef31bb438813f1bdf87b4f54adafef7184b74ed943ca22ec027d05206beb2deb5bdf0e39

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe

Filesize
1.3MB

MD5
6fbb68ec3f04b2961b81c9c4bb591b18

SHA1
cc215398392070b62ac0edb951804f8c76630d08

SHA256
0ab25294685dfc422eb597698b11442e8cf4afb44bea0cd6305477f8a0f5d904

SHA512
189bc24be8bf4abd19ea4f2b8262a55b7e8665dc0d04474cf868b997ef31bb438813f1bdf87b4f54adafef7184b74ed943ca22ec027d05206beb2deb5bdf0e39

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe

Filesize
3.6MB

MD5
4fb7d752ce196cd847ec8bacd9c51906

SHA1
c3325b47ae7348d38c97157c7e8cfaeb4b2c4a52

SHA256
8dae0e9964e70eb34d55763bd6f4a23c08d0f253e1c07002e04d69025d8bc749

SHA512
a0c52c4c84f60d41ab8a2e9b779e2f81adc902c61c58546c6c745e4e9eb86d10d94d7a75f45c87f109c0bb6898f7af31f5504c750ac3f58b5d18d8998b5a3e83

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe

Filesize
3.6MB

MD5
4fb7d752ce196cd847ec8bacd9c51906

SHA1
c3325b47ae7348d38c97157c7e8cfaeb4b2c4a52

SHA256
8dae0e9964e70eb34d55763bd6f4a23c08d0f253e1c07002e04d69025d8bc749

SHA512
a0c52c4c84f60d41ab8a2e9b779e2f81adc902c61c58546c6c745e4e9eb86d10d94d7a75f45c87f109c0bb6898f7af31f5504c750ac3f58b5d18d8998b5a3e83

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe

Filesize
3.6MB

MD5
4fb7d752ce196cd847ec8bacd9c51906

SHA1
c3325b47ae7348d38c97157c7e8cfaeb4b2c4a52

SHA256
8dae0e9964e70eb34d55763bd6f4a23c08d0f253e1c07002e04d69025d8bc749

SHA512
a0c52c4c84f60d41ab8a2e9b779e2f81adc902c61c58546c6c745e4e9eb86d10d94d7a75f45c87f109c0bb6898f7af31f5504c750ac3f58b5d18d8998b5a3e83

Download Submit
memory/1736-153-0x0000000000C20000-0x00000000010FA000-memory.dmp

Filesize
4.9MB

Download
memory/2276-133-0x0000000000680000-0x0000000000F2C000-memory.dmp

Filesize
8.7MB

Download
memory/4660-203-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4660-200-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4660-201-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4660-199-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4660-180-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4680-289-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/4680-322-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4680-178-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4680-176-0x00000000050A0000-0x00000000051AA000-memory.dmp

Filesize
1.0MB

Download
memory/4680-177-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/4680-318-0x0000000006460000-0x00000000064F2000-memory.dmp

Filesize
584KB

Download
memory/4680-315-0x0000000006900000-0x0000000006EA4000-memory.dmp

Filesize
5.6MB

Download
memory/4680-179-0x0000000005010000-0x000000000504C000-memory.dmp

Filesize
240KB

Download
memory/4680-327-0x0000000006580000-0x00000000065F6000-memory.dmp

Filesize
472KB

Download
memory/4680-329-0x0000000006500000-0x0000000006550000-memory.dmp

Filesize
320KB

Download
memory/4680-335-0x0000000006EB0000-0x0000000007072000-memory.dmp

Filesize
1.8MB

Download
memory/4680-340-0x00000000075B0000-0x0000000007ADC000-memory.dmp

Filesize
5.2MB

Download
memory/4680-175-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/4680-170-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads