Overview

overview

10

Static

static

1

406a0e14b6...e1.exe

windows7-x64

10

406a0e14b6...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    406a0e14b6569ebc5f1086801e043fe1.exe

  • Size

    1.8MB

  • MD5

    406a0e14b6569ebc5f1086801e043fe1

  • SHA1

    b15c199f31dcddcd37f10f143b62f2ff998324c6

  • SHA256

    5502d7c1c81714b998f594e523274a828d919f69dc08bffde5fe118918a8f43b

  • SHA512

    f367e8c6a84192925cad8d7de697435220835de2068bf66fa6e29f59680ea4f74dc42b92a6ba16e27bd71194a4104c0a3e06ecd5a2e484473e8ec9669b1ae65a

  • SSDEEP

    49152:VJGty7g6F2SKtEjjbgitUonmkXhDbl0nXj5:VJzpF2SKtEjfBUChTm5

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\406a0e14b6569ebc5f1086801e043fe1.exe
    "C:\Users\Admin\AppData\Local\Temp\406a0e14b6569ebc5f1086801e043fe1.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    681.8MB

    MD5

    a402fafc74cd13a536985b1d58c09df9

    SHA1

    f808a7f96341a1051c623d79dade3cf19a5f4179

    SHA256

    5fa382892f38948025b77809615926577dc30e7a07b4611910541ec473a85d3b

    SHA512

    ab7d62a00fd4ecacc8133cbdbe34136e97d5e2b2cf63f96abadf9551b9488ddb69ac7f2d013dcbda0e8494fb1f4f3405aac57a81b3a2f2ae4d22dfc62cce2bc1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    565.0MB

    MD5

    1f4a05f6faa1b97df5da73a84fab64a3

    SHA1

    4714963ece691b66c8c01f69ba27dde53482e285

    SHA256

    d78022050381e6a1c35f639a32d6b3783b46967afe242f31cd52f65d2b2cc14e

    SHA512

    bbaefb408a363b586f8a24929ed70f0a53bf4032f65bc1da2f4151ce00eaa817c494ebb733c638973f8e3094c1cfd216bc88f336d44ebacdba3e890f6232d1c0

    Download Submit
  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    426.5MB

    MD5

    301a20b245f6ca786da889ad613d2104

    SHA1

    2626cb7a68f8fbfdc89ddf74bb3150c854d82f18

    SHA256

    f044a4cdd3e42576615b9e7497487f94776b41424c5d5c84f3bc8cb752e2a715

    SHA512

    50b0d74d09e6d2e91ce56d2c3059efefc8dd4890b21100bed7295800fe304337074f3972c5ba4b4a8d83d484e74d1e7ec9da84bda7c4723368e12a608b6395c6

    Download Submit
  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    662.9MB

    MD5

    e303ea028b64c086ca91264ec1c01bba

    SHA1

    2ef02ca7a75eec79709145f30e5664e1dea05c73

    SHA256

    c6dcbb9548e73d7979d8ae319b8511d49da35b8e7aa89a5a75c6533341a95c77

    SHA512

    ce6c1aa74bcedcd271c3838b1da6e72ce0ec1d73e795f1427f28af19e6355b2a14ce7aa7e3ae7cf1883473597ccce98daf31ad782dbdde044d69ed7e8bfcc999

    Download Submit
  • memory/1956-66-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-76-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-80-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-65-0x00000000021B0000-0x000000000235A000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1956-79-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-68-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-70-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-71-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-72-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-74-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-78-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1956-77-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1996-55-0x0000000002250000-0x0000000002620000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1996-54-0x00000000020A0000-0x000000000224A000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1996-64-0x0000000000400000-0x0000000000893000-memory.dmp
    Filesize

    4.6MB

    Download