Overview

overview

10

Static

static

3

conhost.exe

windows7-x64

10

conhost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2023 18:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    conhost.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    744.1MB

    MD5

    101e217b6491d7cf83fdf3b7c109c1e5

    SHA1

    6e5b55fb9b6e03027b6291fcd1539354a6510bf3

    SHA256

    8ae657e3c41f46effbb0fef68d577ed79251a7f1eeb21755ce862489cc90375d

    SHA512

    31f60a707e0375eef977086d14a94b4096d56d34818bdbaca1d8ca8d3776aca1981dcf9b6bcc65490e3b824e391f82de8c744cc8c10bcb18065be3e4d79fac50

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    515.3MB

    MD5

    a79baa91e29cb7d858dc0f62cbd9e045

    SHA1

    8c91f1818fcaae977e97646656f6693b329af675

    SHA256

    90d7097d8c0f818538d306baf9038239defa0bf75ceb671e4f1ffbf5762526ca

    SHA512

    2a54ba342ceffcfcf0420aa92cade73db62b7ce3042b56facd02499674f4277353ea7cc3bca37588c47185f4f9c3d10091cce7256979aa89dea3301f69c51ae0

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    529.8MB

    MD5

    ba761d7ebbec8c002d1a2edb5c5f178b

    SHA1

    a5097decc1fbc2fffc3be0e9cb8e59113860c253

    SHA256

    29668772d61e88627e641308c49739231211f6a998347b0c352ffaa9a73bd66c

    SHA512

    68f2056317037cf74ba99fe0bf966ea70aef0439454bd09dc52bc88ab6bef8cf19405a6a23bed44cdd59f94a6f9c744176c73e8ff5a80fc5d2357ca826c7b814

    Download Submit