laplas | fba703c00aa3908fd7bea1806af74aefba3f3657bf52d0f1e87cac54dd0230c4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.8MB
MD5

288a06e42d98f0624269f33259a8d969
SHA1

c7aeda50137ddb61af5e321d3612f1cbaac6490a
SHA256

fba703c00aa3908fd7bea1806af74aefba3f3657bf52d0f1e87cac54dd0230c4
SHA512

74eaeb0fe58644fa06030468d835178128f8d0df0399549b7d737da5bfcd4123f471341f760fcb0264fde0f7af056aa8b12ebb4137204227df91e741fc79c337
SSDEEP

49152:IBJjYbVrAXDZhV4hkxcJmjKpEybB5TUXhrt8:y9YVrAlf4hkWKnBRri

Score

10^/10

laplas redline test clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

test

77.91.85.137:81

Attributes

auth_value
eb42c93b96eea8a95189cf1eeb4f7c0b

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	fisherkit_cpp_build_autorun.exe

Executes dropped EXE 4 IoCs

pid	Process
3780	Looex32.exe
4972	Maat64.exe
3820	fisherkit_cpp_build_autorun.exe
3372	svcservice.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	fisherkit_cpp_build_autorun.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3780 set thread context of 3212	3780	Looex32.exe	89
PID 4972 set thread context of 3256	4972	Maat64.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3212	AppLaunch.exe
3212	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 3780	1128	file.exe	86
PID 1128 wrote to memory of 3780	1128	file.exe	86
PID 1128 wrote to memory of 3780	1128	file.exe	86
PID 3780 wrote to memory of 3212	3780	Looex32.exe	89
PID 3780 wrote to memory of 3212	3780	Looex32.exe	89
PID 3780 wrote to memory of 3212	3780	Looex32.exe	89
PID 3780 wrote to memory of 3212	3780	Looex32.exe	89
PID 3780 wrote to memory of 3212	3780	Looex32.exe	89
PID 1128 wrote to memory of 4972	1128	file.exe	90
PID 1128 wrote to memory of 4972	1128	file.exe	90
PID 1128 wrote to memory of 4972	1128	file.exe	90
PID 4972 wrote to memory of 4456	4972	Maat64.exe	92
PID 4972 wrote to memory of 4456	4972	Maat64.exe	92
PID 4972 wrote to memory of 4456	4972	Maat64.exe	92
PID 4972 wrote to memory of 2680	4972	Maat64.exe	93
PID 4972 wrote to memory of 2680	4972	Maat64.exe	93
PID 4972 wrote to memory of 2680	4972	Maat64.exe	93
PID 4972 wrote to memory of 3256	4972	Maat64.exe	94
PID 4972 wrote to memory of 3256	4972	Maat64.exe	94
PID 4972 wrote to memory of 3256	4972	Maat64.exe	94
PID 4972 wrote to memory of 3256	4972	Maat64.exe	94
PID 4972 wrote to memory of 3256	4972	Maat64.exe	94
PID 1128 wrote to memory of 3820	1128	file.exe	96
PID 1128 wrote to memory of 3820	1128	file.exe	96
PID 1128 wrote to memory of 3820	1128	file.exe	96
PID 3820 wrote to memory of 3372	3820	fisherkit_cpp_build_autorun.exe	97
PID 3820 wrote to memory of 3372	3820	fisherkit_cpp_build_autorun.exe	97
PID 3820 wrote to memory of 3372	3820	fisherkit_cpp_build_autorun.exe	97

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Maat64.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Maat64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:4456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:2680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:3256
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\fisherkit_cpp_build_autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fisherkit_cpp_build_autorun.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:3372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Maat64.exe

Filesize
2.6MB

MD5
a1501c1365cdbd1ac81269bc74a28eb1

SHA1
a7739d6b77a1ab66f63c4f56dae0169add2094da

SHA256
7109af24eacb6bfb01b221330115ed16be72d8eadb7d9fcff7567d2a9d33f41f

SHA512
79903f42e9599cebbac404897e96699752ec37f713d03df3caaed8b58a453b7e92f15a2216685bb700c49916b114345006cc1c909df2e0eddb2387389d0afc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Maat64.exe

Filesize
2.6MB

MD5
a1501c1365cdbd1ac81269bc74a28eb1

SHA1
a7739d6b77a1ab66f63c4f56dae0169add2094da

SHA256
7109af24eacb6bfb01b221330115ed16be72d8eadb7d9fcff7567d2a9d33f41f

SHA512
79903f42e9599cebbac404897e96699752ec37f713d03df3caaed8b58a453b7e92f15a2216685bb700c49916b114345006cc1c909df2e0eddb2387389d0afc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Maat64.exe

Filesize
2.6MB

MD5
a1501c1365cdbd1ac81269bc74a28eb1

SHA1
a7739d6b77a1ab66f63c4f56dae0169add2094da

SHA256
7109af24eacb6bfb01b221330115ed16be72d8eadb7d9fcff7567d2a9d33f41f

SHA512
79903f42e9599cebbac404897e96699752ec37f713d03df3caaed8b58a453b7e92f15a2216685bb700c49916b114345006cc1c909df2e0eddb2387389d0afc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fisherkit_cpp_build_autorun.exe

Filesize
240KB

MD5
c2a9fb1f229b9bbe68c0456fe9c0e104

SHA1
b272273334f230077aabdb7d9ae7685a1fb9c22c

SHA256
9ed15c437e72a3c88d7d46f9532b466bb0467070f528f8c45efe083a9deae89d

SHA512
94d44cb00dba4c0ba52e606fb8d9d206fdb646a13fe995d81570ad2473320c6f9661b89069415f3bac7dae9e67250b9d84701d1ff5635fa1fb9cdd173748f31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fisherkit_cpp_build_autorun.exe

Filesize
240KB

MD5
c2a9fb1f229b9bbe68c0456fe9c0e104

SHA1
b272273334f230077aabdb7d9ae7685a1fb9c22c

SHA256
9ed15c437e72a3c88d7d46f9532b466bb0467070f528f8c45efe083a9deae89d

SHA512
94d44cb00dba4c0ba52e606fb8d9d206fdb646a13fe995d81570ad2473320c6f9661b89069415f3bac7dae9e67250b9d84701d1ff5635fa1fb9cdd173748f31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fisherkit_cpp_build_autorun.exe

Filesize
240KB

MD5
c2a9fb1f229b9bbe68c0456fe9c0e104

SHA1
b272273334f230077aabdb7d9ae7685a1fb9c22c

SHA256
9ed15c437e72a3c88d7d46f9532b466bb0467070f528f8c45efe083a9deae89d

SHA512
94d44cb00dba4c0ba52e606fb8d9d206fdb646a13fe995d81570ad2473320c6f9661b89069415f3bac7dae9e67250b9d84701d1ff5635fa1fb9cdd173748f31a

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
605.1MB

MD5
55b7d2f0cc794b013967fc65187d8e0d

SHA1
2c80f6909ef02f88d0e06576adc815a7ec7512d7

SHA256
f1382d5d8c2dbe17a99824277247b6af946cbbe53d721fdc76ca8dc41c34c993

SHA512
7d0ad4ed50486f96c33001210f421976be3d84e3f2817169b0b95f90f3f5336572a7b6547e7eb731f467b1208eb78f6497e4db776016387f315bc2d04fd7fa9f

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
615.8MB

MD5
6b3909589ebf4fe8d3198c7647d4ef0e

SHA1
8d6f4f2186717761dbaf07bee2c13dbdb27d2ae6

SHA256
74c4787f389c61a709172e79cb3436648884d8a51c86dbb6579551442cc9bf31

SHA512
324788a0de5727c02fd9dd6acb404e9987fd3464f23f0ee679ed1d4cf01ee9a0e45f31d289b7a9c40e77f956e6d2d2fdd19d99475c38d2412916c18a1c58b06b

Download Submit
memory/3212-392-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/3212-492-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3212-549-0x0000000006800000-0x0000000006850000-memory.dmp

Filesize
320KB

Download
memory/3212-194-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

Filesize
72KB

Download
memory/3212-535-0x0000000008A60000-0x0000000008F8C000-memory.dmp

Filesize
5.2MB

Download
memory/3212-530-0x0000000008360000-0x0000000008522000-memory.dmp

Filesize
1.8MB

Download
memory/3212-200-0x0000000005020000-0x000000000505C000-memory.dmp

Filesize
240KB

Download
memory/3212-203-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3212-504-0x00000000064C0000-0x0000000006526000-memory.dmp

Filesize
408KB

Download
memory/3212-389-0x0000000005320000-0x0000000005396000-memory.dmp

Filesize
472KB

Download
memory/3212-189-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/3212-497-0x00000000069C0000-0x0000000006F64000-memory.dmp

Filesize
5.6MB

Download
memory/3212-149-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3212-192-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/3256-164-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3256-193-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3256-197-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3256-195-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3256-191-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download