Overview

overview

10

Static

static

3

conhost.exe

windows7-x64

10

conhost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2023 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    conhost.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    814.0MB

    MD5

    a04315c9980fd1ac313141efa5b30863

    SHA1

    97bdf15e22ed50b4b23e71c6eb1b5b1829ea759c

    SHA256

    f3da4ab3c1ab6b5939cded5e14118513d19b37c3a50e6c2bd5dd8740300aa68c

    SHA512

    283a628cdbea1de6d7c7cb1798f1e994cf4ec39acbcfcfcc28e8754df2476d4190e8d3c266a9dda65770f2fe45629bce34d8a7727dc18a3253e214c9619fcaaf

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    580.4MB

    MD5

    028acb49d759a9f9e0988fb3c1f964fd

    SHA1

    9817d14cc0c11049ad1f6fb3573e872eff17aaab

    SHA256

    f87689d9ccba183423f6034b198854979876bba577a56af7bd171dc601b0251c

    SHA512

    3cde5a537dcf3955f27cb1947195589880625f8aa964833c6046502657c637db3b54772041567574905b71c066f7493a1760ad8a5a908cfda6d28672f450ce87

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    593.2MB

    MD5

    334d747428fb81be9f1df93a86e02b72

    SHA1

    bb69357ab3f36206dbafeb1bb8e5941b1c8d9a99

    SHA256

    c5ad848f8f873186be5e77d98a6a38b14895fa9d8a4bbd9dd63bddc8166a3fb7

    SHA512

    5d3b4723b328c48c1e4b3796c4a0faaffcc8483bf5fc97cdbf5d76c082cb89e68e66e27f15cbcefcc07cf3f0d4c3c9b45d4283bdc1cb28c36d7d971065b58473

    Download Submit