Overview

overview

10

Static

static

1

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    1.9MB

  • MD5

    d6303b5e2715697555ca0a3fc515cf9a

  • SHA1

    6f3237546882a9363184b5450cd9806e65be1834

  • SHA256

    5c7cb9a9b08fcef3597ee3c317d52e202895aaa9387727e7c68941740c8938b1

  • SHA512

    675dda1890f44de32b63946f2a9cad5a65b2cc50fe55152756f2abc3238c495faea1dec89e5bbcf181fb1cc6e3c709c1e8bfc5deae3cec8b835f3696252c9e76

  • SSDEEP

    49152:wyLf8FgO/T2/mQgLqaUO5EDkbw1etC8wZkg:jD8Fg//m3Lqa3AktKkg

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    836.9MB

    MD5

    61a0dd6add474f53b893786bf5cc2aab

    SHA1

    b2b3273a12899a3bc15095331e1fb04db49c2e17

    SHA256

    369d86157e1973b61cbcd6674c7a7bafa0ebe0986050b0dad538be5f13d47435

    SHA512

    7a3f03f25704ccbc4d1cee8c856def6483e97cd3cb33e35ff72e07a5749d31deb19cb94035ba068d01e2c0db8a96cd48bca31d2f59a1fe3fa0af97483dfb52e1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    836.9MB

    MD5

    61a0dd6add474f53b893786bf5cc2aab

    SHA1

    b2b3273a12899a3bc15095331e1fb04db49c2e17

    SHA256

    369d86157e1973b61cbcd6674c7a7bafa0ebe0986050b0dad538be5f13d47435

    SHA512

    7a3f03f25704ccbc4d1cee8c856def6483e97cd3cb33e35ff72e07a5749d31deb19cb94035ba068d01e2c0db8a96cd48bca31d2f59a1fe3fa0af97483dfb52e1

    Download Submit

  • memory/1460-134-0x0000000002570000-0x0000000002940000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1460-139-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-145-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-143-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-141-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-146-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-147-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-148-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-150-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-151-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-152-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-153-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1900-154-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download