laplas | f2d67d7c5e9bf1f4b093ba63a7c4fddf26571b0d083e675646504da0e5a390c0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2023 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.6MB
MD5

595c641e1e7d089bba4704da751d8ca1
SHA1

0978659af6c1fd8e1e68cb01efca462e79c371cf
SHA256

f2d67d7c5e9bf1f4b093ba63a7c4fddf26571b0d083e675646504da0e5a390c0
SHA512

1e258a708806580ee3936ef6dfe09aa5516f389aa6159ceeea5263534c5c604cb88813b0073487715b39fe13b06c2c0a184aedd4c53880b065f3bfa259424aa8
SSDEEP

49152:IBJ1VMeFLH5Or9d+9QjaAPC70V1ev4iFu+krSd0PAZQZCQJLNAcEap:y/VMQDQ9KuvC7O1ev4iUW06/aL

Score

10^/10

laplas redline red clipper infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

RED

79.137.202.0:81

Attributes

auth_value
49e32ec54afd3f75dadad05dbf2e524f

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	J30lk3.exe

Executes dropped EXE 4 IoCs

pid	Process
696	KE39lK.exe
4420	9Kju34.exe
1848	J30lk3.exe
4164	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	J30lk3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 696 set thread context of 212	696	KE39lK.exe	86
PID 4420 set thread context of 4972	4420	9Kju34.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 696	1964	file.exe	83
PID 1964 wrote to memory of 696	1964	file.exe	83
PID 1964 wrote to memory of 696	1964	file.exe	83
PID 696 wrote to memory of 212	696	KE39lK.exe	86
PID 696 wrote to memory of 212	696	KE39lK.exe	86
PID 696 wrote to memory of 212	696	KE39lK.exe	86
PID 696 wrote to memory of 212	696	KE39lK.exe	86
PID 696 wrote to memory of 212	696	KE39lK.exe	86
PID 1964 wrote to memory of 4420	1964	file.exe	87
PID 1964 wrote to memory of 4420	1964	file.exe	87
PID 1964 wrote to memory of 4420	1964	file.exe	87
PID 4420 wrote to memory of 4988	4420	9Kju34.exe	89
PID 4420 wrote to memory of 4988	4420	9Kju34.exe	89
PID 4420 wrote to memory of 4988	4420	9Kju34.exe	89
PID 4420 wrote to memory of 5024	4420	9Kju34.exe	90
PID 4420 wrote to memory of 5024	4420	9Kju34.exe	90
PID 4420 wrote to memory of 5024	4420	9Kju34.exe	90
PID 4420 wrote to memory of 4972	4420	9Kju34.exe	91
PID 4420 wrote to memory of 4972	4420	9Kju34.exe	91
PID 4420 wrote to memory of 4972	4420	9Kju34.exe	91
PID 4420 wrote to memory of 4972	4420	9Kju34.exe	91
PID 4420 wrote to memory of 4972	4420	9Kju34.exe	91
PID 1964 wrote to memory of 1848	1964	file.exe	93
PID 1964 wrote to memory of 1848	1964	file.exe	93
PID 1964 wrote to memory of 1848	1964	file.exe	93
PID 1848 wrote to memory of 4164	1848	J30lk3.exe	94
PID 1848 wrote to memory of 4164	1848	J30lk3.exe	94
PID 1848 wrote to memory of 4164	1848	J30lk3.exe	94

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:212
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:4988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:5024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:4972
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:4164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\9Kju34.exe

Filesize
2.7MB

MD5
a05f745b7fccca50665333dee0a3a5a2

SHA1
4e4cc12775c34be07c8d648d12cc79c749f5570d

SHA256
227306699bf88efca33fb47f4af90c9e2bcc1988a893d77b398c220be18d7f8a

SHA512
2fced93b1c8acdf3847540d5e8c9f3ec30c51ec94464327d8d3107c16b26b551a5847e79f6392e4b0335c1727319314e8e70b528a332eac8dd633a760157e493

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe

Filesize
1.1MB

MD5
5dca37355d17cc9b26f2ad1e33ec8816

SHA1
0f96bdd95b576a472da317b34ba8831935ca4f97

SHA256
dec6fdeee703a428d77a1928e39abd558f5258bb29712781edc816650e3ac1c4

SHA512
cb3965333e3ad4c7c0a4190cccf5d1dda5cf1ad72c8e1abb8dd54eb99ee1603b45b4d9ebe7370f2380eb8aee42e9d09ed56f345da3eb25cd396df0cd91352bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe

Filesize
1.1MB

MD5
5dca37355d17cc9b26f2ad1e33ec8816

SHA1
0f96bdd95b576a472da317b34ba8831935ca4f97

SHA256
dec6fdeee703a428d77a1928e39abd558f5258bb29712781edc816650e3ac1c4

SHA512
cb3965333e3ad4c7c0a4190cccf5d1dda5cf1ad72c8e1abb8dd54eb99ee1603b45b4d9ebe7370f2380eb8aee42e9d09ed56f345da3eb25cd396df0cd91352bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\J30lk3.exe

Filesize
1.1MB

MD5
5dca37355d17cc9b26f2ad1e33ec8816

SHA1
0f96bdd95b576a472da317b34ba8831935ca4f97

SHA256
dec6fdeee703a428d77a1928e39abd558f5258bb29712781edc816650e3ac1c4

SHA512
cb3965333e3ad4c7c0a4190cccf5d1dda5cf1ad72c8e1abb8dd54eb99ee1603b45b4d9ebe7370f2380eb8aee42e9d09ed56f345da3eb25cd396df0cd91352bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KE39lK.exe

Filesize
351KB

MD5
cdaa43037deed9a3b8d6f0bcc16e6edb

SHA1
7c855aca612520ea5f0f3f1fb6f0d53f25a60f63

SHA256
767f8698ff420265a69a548c95bbe25f749c7367368ee92ce806ce4722806b5d

SHA512
a592d521f0cfb6b35ee5c872b0f5e452e3bfc037eeb8dcb4fff5b658c3a87a58732dc9f5b6f1546fa393e6313378d2120df942861cbdbbf4efb761afb5becb80

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
368.2MB

MD5
a5e8ef445b3327f8e60de35c343d9d17

SHA1
1d5f58f01110bc22fcd89048f8dfd03df11d1afb

SHA256
9f65756ea8b66270fd1aafba6cea5714f24177ff597eacf0bd27f35e82d43058

SHA512
6252a106194208af83fa7e916f77b90fb2ca7e035bfe392577fbd50e8393069ba87ef474232d9da6533a30d0b5c0cdd14bc5e5fb382525c316dd98334f9bf255

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
359.7MB

MD5
9b13b03b7580b908f94f8fe1efc41bcc

SHA1
f92362eeecbe9b43ff791dbcf7d47d633d7f7b0a

SHA256
46277c3ae9a9d9371a63c85e92a945c6351a700fe28c7570eac648c10c0926dc

SHA512
371390125e0efea75aacc5acc16e61e106c14015ec62aa010b6f7876d80a8888e7035c7e592b342290184105bf027dabae223e38f96a9fc05bb6d56d9a5f5b46

Download Submit
memory/212-189-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/212-193-0x0000000005660000-0x0000000005672000-memory.dmp

Filesize
72KB

Download
memory/212-183-0x0000000005CE0000-0x00000000062F8000-memory.dmp

Filesize
6.1MB

Download
memory/212-196-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/212-197-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/212-521-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/212-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4972-195-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4972-198-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4972-199-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4972-201-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4972-166-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads