Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    269s
  • max time network
    282s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-04-2023 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    069cea06b86b712c69a0b18759241f208ef795eaee50ae8e0bdd5a7e75a1c7f5.exe

  • Size

    2.8MB

  • MD5

    6500da2232915280dd2e80ff34acc12e

  • SHA1

    c9338a8d7906fef20ae1450271dc06c7765c88f3

  • SHA256

    069cea06b86b712c69a0b18759241f208ef795eaee50ae8e0bdd5a7e75a1c7f5

  • SHA512

    1b5e7f2ee005895af14df09343afaee3aebac3a400c8636bc61e19d7232140c73ea7803f98afc5474d5046066d87e3fb6af3894a7fab68b31925227b7c5eae4f

  • SSDEEP

    49152:D+xYLpNEA9IVxzAAXAxgYCHJeoSV+yfpyl/RlGzMETVlJvZmx6DhP03iln14Vuzd:D+CGVVxzAAwxgYCk+yfaKzdTVlJRm6hF

Score
10/10
laplasclipperevasionpersistencestealertrojan

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\069cea06b86b712c69a0b18759241f208ef795eaee50ae8e0bdd5a7e75a1c7f5.exe
    "C:\Users\Admin\AppData\Local\Temp\069cea06b86b712c69a0b18759241f208ef795eaee50ae8e0bdd5a7e75a1c7f5.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1272

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    752.8MB

    MD5

    2005c6e53c469978d2d0633a101ed98c

    SHA1

    c2396f9b171a73453632585a2f8c71a6094a5658

    SHA256

    00ecb8669993dc23a5e076497b05d27673b27c8cc38579a4cadd924377d9685d

    SHA512

    f8990f7b07f60913a10f9c99d648b5bdf857ffd78c80bcf59fc3137e81eb1e3e11d84c3973a524db2d0a262458f459c28f4d6d73fe892042c2f567c6c0c17fbf

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    752.8MB

    MD5

    2005c6e53c469978d2d0633a101ed98c

    SHA1

    c2396f9b171a73453632585a2f8c71a6094a5658

    SHA256

    00ecb8669993dc23a5e076497b05d27673b27c8cc38579a4cadd924377d9685d

    SHA512

    f8990f7b07f60913a10f9c99d648b5bdf857ffd78c80bcf59fc3137e81eb1e3e11d84c3973a524db2d0a262458f459c28f4d6d73fe892042c2f567c6c0c17fbf

    Download Submit

  • memory/1272-80-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-91-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-102-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-81-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-100-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-99-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-98-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-97-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-66-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-67-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-68-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-69-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-70-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-71-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-72-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-82-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-74-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-75-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-76-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-77-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-101-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-96-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-73-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-83-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-84-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-85-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-86-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-87-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-88-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-89-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-90-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-95-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-92-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-93-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1272-94-0x00000000000A0000-0x0000000000935000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1720-56-0x00000000008B0000-0x0000000001145000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1720-59-0x00000000008B0000-0x0000000001145000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1720-55-0x00000000008B0000-0x0000000001145000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1720-65-0x00000000008B0000-0x0000000001145000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1720-57-0x00000000008B0000-0x0000000001145000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1720-60-0x00000000008B0000-0x0000000001145000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1720-54-0x00000000008B0000-0x0000000001145000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/1720-58-0x00000000008B0000-0x0000000001145000-memory.dmp

    Filesize

    8.6MB

    Download