Overview

overview

10

Static

static

3

ecd7e82152...04.exe

windows7-x64

10

ecd7e82152...04.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    139s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2023 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecd7e821527f03f36285b47b459f63f8518f9dc96ec15eef8390c520bb8ba804.exe

  • Size

    3.8MB

  • MD5

    777c97f2898d88b9ac5eecc17d2a9bfb

  • SHA1

    753c0828aeac6f2c9ac0f9c64eec30248dac0e32

  • SHA256

    ecd7e821527f03f36285b47b459f63f8518f9dc96ec15eef8390c520bb8ba804

  • SHA512

    35f47a96b91f6eec58cae5cfc1cea36d2dc14b880635f63e891edb0676bd38569f98623c1ff3655eaadb1d7ffbf2cd9df1503c890876df928a552db4d671c02e

  • SSDEEP

    98304:UHCQqJ34uxaJl5to8lsk6Qe934SJwecdW9D:UHuraX5Osb6QsJJ

Score
10/10
laplasclipperevasionpersistencestealertrojan

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.33

Attributes
  • api_key

    d1a05de376c0be1daa56dfb2715c8a0c5df8a111b8b31decc886df1e48db7c9c

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecd7e821527f03f36285b47b459f63f8518f9dc96ec15eef8390c520bb8ba804.exe
    "C:\Users\Admin\AppData\Local\Temp\ecd7e821527f03f36285b47b459f63f8518f9dc96ec15eef8390c520bb8ba804.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:468

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    625.9MB

    MD5

    c31e207fa70eab58a579f73812191e13

    SHA1

    266fb361d9d9d3cf5ab42baf56d49fb17dc445a3

    SHA256

    853672a1e56c94c062c00462d85f2f25cfd9fe9991005a07917750d2472505a6

    SHA512

    37dbe1f1b29152e28878277c5b7be0d3457e53e24d6ca042b1eee1a4168bfad55b54362ab68e73314e43c222f5891c13c2bf038d5a29877e3a3318355b72d128

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    610.9MB

    MD5

    5173d6bc509653e166849cc5bf32632a

    SHA1

    beec935c4444d6080921e1c5eab22fd81ae99c6a

    SHA256

    632f0132d1b4225027d2d2536893eca092614166b9ac58125064aa5c05594395

    SHA512

    751a494cfbd443d9cd096666093f893bbef855c044315af3a5e32ea1969490830ac193b4ff9a40ab48c01aaea916906f2e566328fb2d03492af3d3223a1e7a43

    Download Submit

  • memory/468-80-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-85-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-72-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-74-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-89-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-88-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-87-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-86-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-73-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-78-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-84-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-69-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-70-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-71-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-83-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-90-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-79-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-75-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-76-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/468-77-0x0000000000F20000-0x00000000017F8000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-56-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-57-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-54-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-58-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-55-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-68-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-63-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-62-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-61-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-60-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1480-59-0x0000000000160000-0x0000000000A38000-memory.dmp

    Filesize

    8.8MB

    Download