Overview

overview

10

Static

static

1

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    1.9MB

  • MD5

    2cab02f2e9bdffa47eabd1fe499cb659

  • SHA1

    dda9070cebb6e9f4cd452ab681815497d590a719

  • SHA256

    1e85dc00b32d476b0f48f95c74b4d414a91144f5b181815d55908067ac0f25c0

  • SHA512

    2b56cae6faa229365a7b1297ab5078fef485b6084ba5ac699cde93af700f831d92c58f5dcffd08b7ec7187b2b173036b4ddeb197b16f8c429f6e0136cc1b8079

  • SSDEEP

    49152:Z4W99T3jU5/iEhr9pk59e0GPkZs9M47Ke2t/vGlcC6H7WCag6lX:Zj/T3IFiA85GNKp5GlGH7W66lX

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:2656

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    848.9MB

    MD5

    59696d2a4044d1645d03a8867fc3fc10

    SHA1

    1953c0ebd6ae77bd0a897d7fdde81d30df6d4b19

    SHA256

    b6f2f4a090d2fab1237ef67373dfcbe8202d68b598dfc7f3a81526d537412d81

    SHA512

    eb16b72890c73ee48243d5c3c22a86f329a88d49b46f464c5a81f23d950012d78470de3a74a2db2e0366d18cc3bf0e17381dd1a8c0f6f91bd9c57204d47a0cb2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    848.9MB

    MD5

    59696d2a4044d1645d03a8867fc3fc10

    SHA1

    1953c0ebd6ae77bd0a897d7fdde81d30df6d4b19

    SHA256

    b6f2f4a090d2fab1237ef67373dfcbe8202d68b598dfc7f3a81526d537412d81

    SHA512

    eb16b72890c73ee48243d5c3c22a86f329a88d49b46f464c5a81f23d950012d78470de3a74a2db2e0366d18cc3bf0e17381dd1a8c0f6f91bd9c57204d47a0cb2

    Download Submit

  • memory/2656-150-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-152-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-141-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-143-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-145-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-148-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-168-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-166-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-154-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-156-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-158-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-160-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-162-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2656-164-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4868-140-0x0000000000400000-0x00000000009D8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4868-134-0x00000000026C0000-0x0000000002A90000-memory.dmp

    Filesize

    3.8MB

    Download