Overview

overview

10

Static

static

1

3011d8256e...5b.exe

windows7-x64

10

3011d8256e...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3011d8256ead8820223359556ec2c85b.exe

  • Size

    360KB

  • MD5

    3011d8256ead8820223359556ec2c85b

  • SHA1

    403343881d8440f0cae73e82bc41b32c8b9d4816

  • SHA256

    1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20

  • SHA512

    49259be1b24ddb1607a78f4760bc937dff58917984a473101f0c5b27e363e90dad72455314e8725832238785dd3b84454637b5018ce0c434a7c6b90f58a5ab3d

  • SSDEEP

    3072:040TlxQfw/y/7juaehfHY1Agbv6oL4OHkfk235cDk5v0WKSNyg/fbakoggwn0JV:O8myVs/Al4OHU3ODkJU6f2E

Score
10/10
laplasclipperdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3011d8256ead8820223359556ec2c85b.exe
    "C:\Users\Admin\AppData\Local\Temp\3011d8256ead8820223359556ec2c85b.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
        "C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Executes dropped EXE
          PID:1844
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3011d8256ead8820223359556ec2c85b.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
    Filesize

    1.9MB

    MD5

    6b4854e6cad19b61eda6eb5e68dcfd80

    SHA1

    f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

    SHA256

    dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

    SHA512

    bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
    Filesize

    1.9MB

    MD5

    6b4854e6cad19b61eda6eb5e68dcfd80

    SHA1

    f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

    SHA256

    dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

    SHA512

    bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    443.2MB

    MD5

    0f4ef0c7d302d1acd3f9b3bc49faa62c

    SHA1

    0dc90899e9a4a99d8fb752cb1952d2cc53c80064

    SHA256

    18102994309df6185a890756ecf480b7110904056047e1ca7bd153eeb6df898c

    SHA512

    fa51c4c7c06011282d8f1832f9b733e430e909a6f88db84b28b1fa4813ebaafb3fee5bf12e50a92106e6c54c4f5aa213ffc312bcccc71cc834390e65cb8a6d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    349.0MB

    MD5

    da2877a0cbe80bbcb04e19a97c245890

    SHA1

    1b16d38ceab1af28237b671b50d950fa2eb2c3f5

    SHA256

    a08f0e789df4cd970fffc6a07d3c5d93c6010231cdaef3bbba34ca79979c340a

    SHA512

    e18797117993e56965cd3dc4c27801a19691605f42656cd72b2674cd049a978fc2a67e8edb953be4c2dab63ba7005475d529aceb03823ad91b234d903d2c513e

    Download Submit

  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • \Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
    Filesize

    1.9MB

    MD5

    6b4854e6cad19b61eda6eb5e68dcfd80

    SHA1

    f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

    SHA256

    dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

    SHA512

    bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
    Filesize

    1.9MB

    MD5

    6b4854e6cad19b61eda6eb5e68dcfd80

    SHA1

    f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

    SHA256

    dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

    SHA512

    bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    428.9MB

    MD5

    a4c063ccd80fe16d524ff98a43a8e9dc

    SHA1

    24777bc1dc2436546fc8f79ba1f0e202e0d88988

    SHA256

    05a37d215c9497cf625a0982d7040e5474a13f602137259504ff4487d0c2a483

    SHA512

    897325d7a46e2771249c218015a29f3fdf86a567897376e06bbc924274e0280c7829b13475b2ae5405e9776b6724be1860fefd66daf663353d5ac9d4f12b5dec

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    419.5MB

    MD5

    e35f8990bf0c669903e2856c08823d3f

    SHA1

    0ca22148d2ce70eeeb208270892af0594fddee77

    SHA256

    24705623be57a2eadfeb6b3d042ed55dc9613988e031d1edb431abec21926478

    SHA512

    dc916f508dda1964386d39bffe3aa832004d66fccaccf5427cb956be1e3d25ea44ee413f4bbf9763559f0193daa7f0d9a50a5e5f2ba1a2acbc75b678eb425fd0

    Download Submit

  • memory/1320-119-0x0000000000400000-0x0000000000628000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1320-115-0x0000000000400000-0x0000000000628000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1320-55-0x00000000003A0000-0x00000000003B5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1320-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/1712-134-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1712-125-0x0000000002460000-0x0000000002830000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1712-124-0x00000000022B0000-0x000000000245A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1844-140-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-136-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-137-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-138-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-135-0x00000000021B0000-0x000000000235A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1844-141-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-142-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-144-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-145-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-146-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-147-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1844-148-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download