Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    194s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2023, 16:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe

  • Size

    1.8MB

  • MD5

    0a935300ad790ad8d03666b1f14e73a4

  • SHA1

    57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

  • SHA256

    9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

  • SHA512

    64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

  • SSDEEP

    49152:HRS3ddTQVvnRdoXwG1a/MrkK9daCBCimRL6E84TB:xSk4XwG1lr0PR8iB

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe
    "C:\Users\Admin\AppData\Local\Temp\9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:220

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    16.1MB

    MD5

    abb69a4ad4753ee00e0661a7546718cd

    SHA1

    6460c7bf3c145a849a887be1dae18c8a0fde20a5

    SHA256

    14d050a912dd78d51c7b7e476650e962dee901895e3e89a9209f5c6ac10fe6dc

    SHA512

    6be70eda2f171cf6a64d437e77c94d3271cb333b384a796da97de2de072362cd416574874cc5455e93dc11c8bd07337309674b419ec1da0bcc089207c0ef6016

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    16.4MB

    MD5

    b8b8e3c22453d93e009bad3de17771b6

    SHA1

    9df39d8b649d7fd00833f9ee1cc99fd907b2c180

    SHA256

    1f7bca40d405587c458e3af0633937cbc86ace9d714fc530aa0b6f1f310b834f

    SHA512

    760aeb61bd0e1c7569c1ef91af788a56aad0d4c3d276ad5748c40194ca8413677f43316d1aadc0003eb1125f3563a5a09ea2666ee8aa1c9e1f01ba449ecb044e

    Download Submit

  • memory/220-153-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3204-134-0x0000000002730000-0x0000000002B00000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3204-135-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3204-136-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3204-137-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3204-140-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3204-143-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3204-144-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3204-150-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download