Overview

overview

10

Static

static

1

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    1.9MB

  • MD5

    181cf5e5f39bbe387b3b985b826b16f1

  • SHA1

    4de92a14f49359ed21c3ee0be536f3126eda37db

  • SHA256

    2f76513c2b7c8f967a70526fdcf1e5c7976a4a77496e81be277c71fbbfcc3f54

  • SHA512

    56acae12a3af47a0ac9cf7261e5e51e4f34fb37fed8026f3694ab013eed3c5a5898733ab0d8dc99294af8b1cd80348f75efc262697b7ccea4c69188a9eb7b6b8

  • SSDEEP

    49152:TkLM27jaMzaTnmg4Gd+cauh5ZvumK3GVtoxRTGs:TGM2GMuCg4h05ZvpILRL

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    253.2MB

    MD5

    f81f3765c3d61e45857470eecc0a529a

    SHA1

    2811faa2fee967d53d2423a345b22b69a8d602c1

    SHA256

    b69bdabdc28e9b9b35b28c03aec2b84f0a79199caad0ca5364bf7ac3babba3a3

    SHA512

    a5240a5b435b9e54b82db224a6db320d2f8471f8f3caf47ae4402270cd31c46c344ccb8cf5c944bf1173375fc0e733cb2ca9a46a11e0528b9b0d3d148633040b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    276.6MB

    MD5

    e7227ce4666ac22c03dff6dc63562fa4

    SHA1

    7a2da4d8983dfde2b1199891fba9305ef2166e70

    SHA256

    15cdfc5b2414a60072d8c2d4f7fb8967413a70f354a501be1be400e595205086

    SHA512

    6e2afa7e3ef8af37c6ab6577562e400bd621bb1c33e9392fd943971960d30e40e566553934db0a635bdc2145668b786faec1c4ea4f109c3bd09b4698209d9b2c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    258.8MB

    MD5

    44140630abcdb1c6623abfce3657dba0

    SHA1

    1c3cbee83785918558d98687c15560bdb461dd7c

    SHA256

    8196be3cc56240ba070a4a15efd3ee725223507cf0c773529a9ffb8a2cc3134c

    SHA512

    93d32afd338de9e3a5d0a14ff76d3fb45eb69cac56963ddf37e0f00cd9cf59d8a07c4d3c0f57f0d8b92c3ab27cb48e95198e4c3ffd83c8d5adc9d7a7ac3ce60c

    Download Submit
  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    277.4MB

    MD5

    3dc0a5d7eea9fae0660be510e0f3383a

    SHA1

    8900f699fdc8e421bb773b6ce0eaceb7e921a555

    SHA256

    6575a74872e7653bfa2d0c376e3189abbf8549de7a5a2b0a69874162225456b3

    SHA512

    e458cb80251112dc0a16bfed8208f32f76f39415ce0e512e362e3723f98014580a9ccf413b24618ffdc2bdf8312f7b0c8045082b85aad7a0dea311b708ed0bca

    Download Submit
  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    276.7MB

    MD5

    39dc2750136a8e0c6ab7b52baf8cb002

    SHA1

    027a0d7624093db7bf207683f592ab5a24fe5545

    SHA256

    6d3c298ba03a4258a6005e28738257ad4ebf45dd2c090e80f710b6b57c5641db

    SHA512

    29a3321e0954ec47dc0ba9d486a7bba2e137d201ba13eca1195304e607ce185ee5ebdace4b7b4ccd37a51816f34f08600c965d07a094a465bf53554386ea6a78

    Download Submit
  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    227.6MB

    MD5

    cea2d92740f87b208c55d94dcdaaed18

    SHA1

    1fcd575bad8859b3ae0ed19ceef6237895917f7a

    SHA256

    44dbe9fcae361a7c393a1105f7ecea1b17fa431506ac9887d0efbc2fe366f831

    SHA512

    08d2b36693ec1e7f5eb8399ad988032b1486c47908b8e62fdd651f1a3416a4412bc3a4f754f713543fcb1e10048cd1e8ca0f19219d4b21c851003c956fbec747

    Download Submit
  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    277.2MB

    MD5

    4cc8106dee3cae279ae0b1be63ec889b

    SHA1

    dbc3fb2327bfeedaee2c90f08c6ec2dc0e9d0ec0

    SHA256

    a18500f07648a5a43c1abfd72f07bf94e6c5d1d72d554c465ad7c0d6f51427e1

    SHA512

    70e669ef1d8cd1025979d883667fcef8d03dc2bffa21f734b55a2952ceae1fc237f4ee58e3618f388ab425b6055d3c194922e480297afd9c60155a64653d7830

    Download Submit
  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    274.6MB

    MD5

    374c4e5eaaf127476f38b20833f05919

    SHA1

    c87cccd8473480d6f5bc007817e27271411caead

    SHA256

    93578a451fa7189221812153761a9fc666cc7e2698c1425b06ae9e07bdd75a5b

    SHA512

    19da4969126512280711918db5f8eb2b5478f19b7e451a9cbff3bf104712bde9b97184fac7505dda188502de29749363d3864ca6a8967d2d7f73cb6c3a91e8fc

    Download Submit
  • memory/1476-54-0x0000000002400000-0x00000000025AA000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1476-55-0x00000000025B0000-0x0000000002980000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1476-65-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-70-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-78-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-71-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-72-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-75-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-76-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-77-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-69-0x0000000002350000-0x00000000024FA000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1928-79-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-80-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-81-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-82-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-83-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1928-84-0x0000000000400000-0x0000000000803000-memory.dmp
    Filesize

    4.0MB

    Download