Overview

overview

10

Static

static

1

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    1.9MB

  • MD5

    5419d85dbbb8c57fb337f1490b3d6c21

  • SHA1

    780a46377db73dc921d3a7795412b4405ea290bf

  • SHA256

    8ee9f9bf18880afccd96ece9f1d4c384825b0de092b0ef6bd78d6d0276f67051

  • SHA512

    e1d84bb5105f62fe53c2be15d6c5f1c64accb17960aa1aa9cf2be7fef5a2de695bd0d11bc1c4d5f6ede8923f59847a6f5c052091ecf93a3ff3d10747b38d33ab

  • SSDEEP

    49152:d/P9nuxcamIidEoNDD1eHi8xvrRoHvVHQx2HylA5:dn9nMcaZidz/1eHBxvrqvefA5

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3428
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:4548

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    790.9MB

    MD5

    728a531ddcef4c134d6bd2f36724f8d5

    SHA1

    f05a13568aafacd74137e172528acc5bee4105c9

    SHA256

    c6bbb8d6de5750dc128965ea6d7a25b0aa456cc3b2aac7529f7b30dd61a5339a

    SHA512

    3ce1cbea95fcb7869b56e5a6509538379c027906f62c7e5bbd084b96cfaf418b24cff56a72d93aad961908d8b4c1ba3ad9d484326985d072195a92c196dd7312

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    790.9MB

    MD5

    728a531ddcef4c134d6bd2f36724f8d5

    SHA1

    f05a13568aafacd74137e172528acc5bee4105c9

    SHA256

    c6bbb8d6de5750dc128965ea6d7a25b0aa456cc3b2aac7529f7b30dd61a5339a

    SHA512

    3ce1cbea95fcb7869b56e5a6509538379c027906f62c7e5bbd084b96cfaf418b24cff56a72d93aad961908d8b4c1ba3ad9d484326985d072195a92c196dd7312

    Download Submit

  • memory/3428-134-0x00000000028C0000-0x0000000002C90000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3428-140-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-150-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-156-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-145-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-148-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-141-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-152-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-155-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-143-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-158-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-160-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-162-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-164-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-166-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4548-168-0x0000000000400000-0x00000000009D7000-memory.dmp

    Filesize

    5.8MB

    Download