Overview

overview

10

Static

static

3

30f6c0d325...0b.exe

windows7-x64

10

30f6c0d325...0b.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2023 21:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30f6c0d325722cd1df1b9f20bbf577e60d0aac2d27b64022964ec6da23455d0b.exe

  • Size

    3.2MB

  • MD5

    fb265a033f73e76e65b986aeb244bdc1

  • SHA1

    572ac5b5c2add735b8e48ffa3cfa9fe8013db02f

  • SHA256

    30f6c0d325722cd1df1b9f20bbf577e60d0aac2d27b64022964ec6da23455d0b

  • SHA512

    efc43cab937df492a9f1ec415b1196f82115a34e39ff575224184bf684ab2106b9590824d81bd2280d65adcd7eb79bbc51990fadfa1bbab7212709db415f851f

  • SSDEEP

    98304:B2tkY/QxN4xrAENowY5obMTPzL1/VCpxr5GPdA2uxRoF:kt//yaOooTPXtVCz8Pd1uxC

Score
10/10
laplasclipperevasionpersistencestealertrojan

Malware Config

Extracted

Family

laplas

C2

http://185.209.161.89

Attributes
  • api_key

    6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30f6c0d325722cd1df1b9f20bbf577e60d0aac2d27b64022964ec6da23455d0b.exe
    "C:\Users\Admin\AppData\Local\Temp\30f6c0d325722cd1df1b9f20bbf577e60d0aac2d27b64022964ec6da23455d0b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1176

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    764.9MB

    MD5

    e172794f49d2b6b319c12439b384ace5

    SHA1

    4f3f36265eb71adec366907060367dd86f625327

    SHA256

    b58f05c7a63be0ea5826a05a512327dd95d0bae6d5991cde8c66100b61af82ff

    SHA512

    6473aa522eec4a9265a17e891de903195234371467cb453eeaf1794fb188134e04afb187b824bed9cbe40c90d36b9bdcf72dc6e267d3a17c6f78e98d55e95a01

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    776.2MB

    MD5

    15a874d2c685a2ffe871187bfc5f88ff

    SHA1

    d6733cf7c1e43b0d3173d8548c58013e54177c89

    SHA256

    baa7fdb5114a5d349bb8656bfe4493c6bda34fafcf96c8d94274f29f71f12538

    SHA512

    bc96996456e1a06e33cb732800ab8c8f08b0c278f545d821ee574272ef68fd18e15c8e10571136a1ea726f9720c3f12e00d4986752d002caeaa879a4c9e1fd98

    Download Submit

  • memory/1176-81-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-68-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-71-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-72-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-87-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-86-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-85-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-84-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-73-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-78-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-70-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-69-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-82-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-88-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-83-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-74-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-75-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-76-0x00000000010F0000-0x0000000001A0A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1984-55-0x0000000000E10000-0x000000000172A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1984-54-0x0000000000E10000-0x000000000172A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1984-58-0x0000000000E10000-0x000000000172A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1984-67-0x0000000000E10000-0x000000000172A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1984-57-0x0000000000E10000-0x000000000172A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1984-56-0x0000000000E10000-0x000000000172A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1984-61-0x0000000000E10000-0x000000000172A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1984-60-0x0000000000E10000-0x000000000172A000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1984-59-0x0000000000E10000-0x000000000172A000-memory.dmp

    Filesize

    9.1MB

    Download