laplas | f2d67d7c5e9bf1f4b093ba63a7c4fddf26571b0d083e675646504da0e5a390c0

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-04-2023 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.6MB
MD5

595c641e1e7d089bba4704da751d8ca1
SHA1

0978659af6c1fd8e1e68cb01efca462e79c371cf
SHA256

f2d67d7c5e9bf1f4b093ba63a7c4fddf26571b0d083e675646504da0e5a390c0
SHA512

1e258a708806580ee3936ef6dfe09aa5516f389aa6159ceeea5263534c5c604cb88813b0073487715b39fe13b06c2c0a184aedd4c53880b065f3bfa259424aa8
SSDEEP

49152:IBJ1VMeFLH5Or9d+9QjaAPC70V1ev4iFu+krSd0PAZQZCQJLNAcEap:y/VMQDQ9KuvC7O1ev4iUW06/aL

Score

10^/10

laplas redline red clipper infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

RED

79.137.202.0:81

Attributes

auth_value
49e32ec54afd3f75dadad05dbf2e524f

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1488	KE39lK.exe
988	9Kju34.exe
1096	J30lk3.exe
2776	svcservice.exe

Loads dropped DLL 14 IoCs

pid	Process
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1324	file.exe
1096	J30lk3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	J30lk3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 888	1488	KE39lK.exe	29
PID 988 set thread context of 1624	988	9Kju34.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1488	1324	file.exe	27
PID 1324 wrote to memory of 1488	1324	file.exe	27
PID 1324 wrote to memory of 1488	1324	file.exe	27
PID 1324 wrote to memory of 1488	1324	file.exe	27
PID 1488 wrote to memory of 888	1488	KE39lK.exe	29
PID 1488 wrote to memory of 888	1488	KE39lK.exe	29
PID 1488 wrote to memory of 888	1488	KE39lK.exe	29
PID 1488 wrote to memory of 888	1488	KE39lK.exe	29
PID 1488 wrote to memory of 888	1488	KE39lK.exe	29
PID 1488 wrote to memory of 888	1488	KE39lK.exe	29
PID 1488 wrote to memory of 888	1488	KE39lK.exe	29
PID 1488 wrote to memory of 888	1488	KE39lK.exe	29
PID 1488 wrote to memory of 888	1488	KE39lK.exe	29
PID 1324 wrote to memory of 988	1324	file.exe	30
PID 1324 wrote to memory of 988	1324	file.exe	30
PID 1324 wrote to memory of 988	1324	file.exe	30
PID 1324 wrote to memory of 988	1324	file.exe	30
PID 988 wrote to memory of 1624	988	9Kju34.exe	32
PID 988 wrote to memory of 1624	988	9Kju34.exe	32
PID 988 wrote to memory of 1624	988	9Kju34.exe	32
PID 988 wrote to memory of 1624	988	9Kju34.exe	32
PID 988 wrote to memory of 1624	988	9Kju34.exe	32
PID 988 wrote to memory of 1624	988	9Kju34.exe	32
PID 988 wrote to memory of 1624	988	9Kju34.exe	32
PID 988 wrote to memory of 1624	988	9Kju34.exe	32
PID 988 wrote to memory of 1624	988	9Kju34.exe	32
PID 1324 wrote to memory of 1096	1324	file.exe	34
PID 1324 wrote to memory of 1096	1324	file.exe	34
PID 1324 wrote to memory of 1096	1324	file.exe	34
PID 1324 wrote to memory of 1096	1324	file.exe	34
PID 1096 wrote to memory of 2776	1096	J30lk3.exe	35
PID 1096 wrote to memory of 2776	1096	J30lk3.exe	35
PID 1096 wrote to memory of 2776	1096	J30lk3.exe	35
PID 1096 wrote to memory of 2776	1096	J30lk3.exe	35

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:888
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:1624
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe

Filesize
1.1MB

MD5
5dca37355d17cc9b26f2ad1e33ec8816

SHA1
0f96bdd95b576a472da317b34ba8831935ca4f97

SHA256
dec6fdeee703a428d77a1928e39abd558f5258bb29712781edc816650e3ac1c4

SHA512
cb3965333e3ad4c7c0a4190cccf5d1dda5cf1ad72c8e1abb8dd54eb99ee1603b45b4d9ebe7370f2380eb8aee42e9d09ed56f345da3eb25cd396df0cd91352bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe

Filesize
1.1MB

MD5
5dca37355d17cc9b26f2ad1e33ec8816

SHA1
0f96bdd95b576a472da317b34ba8831935ca4f97

SHA256
dec6fdeee703a428d77a1928e39abd558f5258bb29712781edc816650e3ac1c4

SHA512
cb3965333e3ad4c7c0a4190cccf5d1dda5cf1ad72c8e1abb8dd54eb99ee1603b45b4d9ebe7370f2380eb8aee42e9d09ed56f345da3eb25cd396df0cd91352bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe

Filesize
1.1MB

MD5
5dca37355d17cc9b26f2ad1e33ec8816

SHA1
0f96bdd95b576a472da317b34ba8831935ca4f97

SHA256
dec6fdeee703a428d77a1928e39abd558f5258bb29712781edc816650e3ac1c4

SHA512
cb3965333e3ad4c7c0a4190cccf5d1dda5cf1ad72c8e1abb8dd54eb99ee1603b45b4d9ebe7370f2380eb8aee42e9d09ed56f345da3eb25cd396df0cd91352bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
744.1MB

MD5
0a2304b334994bc9a124d24247c3cf35

SHA1
86619a05faff0c37efef3673e6c537b9377a326a

SHA256
cae2ec8957e098576668316e931b927109003b57f0ac3bfb4a44e765ef268d79

SHA512
8b9ad1c6098c5a102c88b30baa8d57cd6b2f3bc4b320fbafae2837e56b5c1af608a7ac27708b8f234fcb3aade9c023f6ca0966c72f015bb01a109782190ab0e4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe

Filesize
1.1MB

MD5
5dca37355d17cc9b26f2ad1e33ec8816

SHA1
0f96bdd95b576a472da317b34ba8831935ca4f97

SHA256
dec6fdeee703a428d77a1928e39abd558f5258bb29712781edc816650e3ac1c4

SHA512
cb3965333e3ad4c7c0a4190cccf5d1dda5cf1ad72c8e1abb8dd54eb99ee1603b45b4d9ebe7370f2380eb8aee42e9d09ed56f345da3eb25cd396df0cd91352bc4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe

Filesize
1.1MB

MD5
5dca37355d17cc9b26f2ad1e33ec8816

SHA1
0f96bdd95b576a472da317b34ba8831935ca4f97

SHA256
dec6fdeee703a428d77a1928e39abd558f5258bb29712781edc816650e3ac1c4

SHA512
cb3965333e3ad4c7c0a4190cccf5d1dda5cf1ad72c8e1abb8dd54eb99ee1603b45b4d9ebe7370f2380eb8aee42e9d09ed56f345da3eb25cd396df0cd91352bc4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe

Filesize
1.1MB

MD5
5dca37355d17cc9b26f2ad1e33ec8816

SHA1
0f96bdd95b576a472da317b34ba8831935ca4f97

SHA256
dec6fdeee703a428d77a1928e39abd558f5258bb29712781edc816650e3ac1c4

SHA512
cb3965333e3ad4c7c0a4190cccf5d1dda5cf1ad72c8e1abb8dd54eb99ee1603b45b4d9ebe7370f2380eb8aee42e9d09ed56f345da3eb25cd396df0cd91352bc4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
744.1MB

MD5
0a2304b334994bc9a124d24247c3cf35

SHA1
86619a05faff0c37efef3673e6c537b9377a326a

SHA256
cae2ec8957e098576668316e931b927109003b57f0ac3bfb4a44e765ef268d79

SHA512
8b9ad1c6098c5a102c88b30baa8d57cd6b2f3bc4b320fbafae2837e56b5c1af608a7ac27708b8f234fcb3aade9c023f6ca0966c72f015bb01a109782190ab0e4

Download Submit
memory/888-77-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/888-211-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/888-613-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/888-85-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/888-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/888-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/888-84-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/888-396-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1624-134-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1624-141-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1624-138-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1624-139-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1624-121-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-104-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1624-103-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads