Overview

overview

10

Static

static

3

vadwax.exe

windows7-x64

1

vadwax.exe

windows10-2004-x64

10

Resubmissions

30-12-2024 11:02

241230-m5lm1sxpcw 7

04-05-2023 23:00

230504-2zcv9ahd71 10

Analysis

  • max time kernel
    134s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2023 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vadwax.exe

  • Size

    1205.9MB

  • MD5

    2bdd63a7fd97796129b56bd964c8af83

  • SHA1

    5ea8f5f06cb702b4e8d205cc08b860ffd2239c87

  • SHA256

    f91d9de259052595946250a1440a2457dbda9ee8aec8add24419ff939f13e003

  • SHA512

    f0383898783a2194e5a91de0d923a924787c40aa29f0095ef20bdef9e80ad515b7493edd1f5335b8c52e9b68469165103f92d6095a97a2e36a16f4b310582a7f

  • SSDEEP

    196608:HW36QOxQ8JEgOpcqGs4anqH4mJsMQOgKmEiTBh:S63Q8JExpIGnqYxMNmEiTf

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://85.192.40.252

Attributes
  • api_key

    a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vadwax.exe
    "C:\Users\Admin\AppData\Local\Temp\vadwax.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    553.4MB

    MD5

    bc20369eec0916f2d986d412956edd85

    SHA1

    e0ef5ffd85e37bbda5ac79d21d75f444991acc02

    SHA256

    e769a5d76b8c02c39cc4c5cc5014ba8348c7f8595cc7baa65ea2ffbcc33e0722

    SHA512

    0ef7ae063d9d60ad0e06f517862b02bc48452c6aa9e6a958c66081a84c7c43903086377d2f5974cd9dce133b79bfad4bfa3541a153c22f604ca82daa227b9b40

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    610.4MB

    MD5

    29cb9c09c0244557c56ab06e0fd7fbe0

    SHA1

    1d1518d6f7c0b6b420d1fd266ee11ba831c5b9aa

    SHA256

    55753d34d714f6203e674b970a00163312ec253e28d762c6f987c3b13e525d58

    SHA512

    8b7f3ee391a24c54e83e86d42e856d233d456f217026c9b533b44991cbc6bd91b3cb01c8df24f48dfacca9d7d7cb1b613deb8d9e94fc68c362261a11bbc7c10a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    635.3MB

    MD5

    ca507bd7c5febe2ec8407867530e6b73

    SHA1

    976e354d64916187b9802ec12e8a309e601ea428

    SHA256

    565dbd61e8b33e669e2c68f08d5367a8a7ec52624b3c6793a7942d5d0eedda9a

    SHA512

    4adb08ae2607b1fb2004e0c274864d9740717551ae0a7904baa589beb47e1e61b829ec709a09f5fa209d057a03ef86961d9ccee5950996d6c790d9be1e917a1e

    Download Submit

  • memory/2232-133-0x0000000000F30000-0x0000000000F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2232-134-0x0000000000400000-0x0000000000D00000-memory.dmp

    Filesize

    9.0MB

    Download

  • memory/4632-145-0x0000000000E50000-0x0000000000E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4632-146-0x0000000000400000-0x0000000000D00000-memory.dmp

    Filesize

    9.0MB

    Download