Overview

overview

10

Static

static

3

conhost.exe

windows7-x64

10

conhost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2023 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    conhost.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1996

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    697.8MB

    MD5

    f3fddb049dcfe8ecd6aee9e4cbadfeac

    SHA1

    aca878d0641735f572c445f1217e12446ce36c7e

    SHA256

    67ee318deeebdd97bdaedc19bf8fc8bba91c7fe903e2233bc876ac1b4e34aa8b

    SHA512

    1f4d71a0c58023b03ef5a19c843c30b75eec62bffbdbd5374f24efa6cdab37e635939f4c0b1b0fc4cb1318d9aaa9cf0831cdb365a0f192e8af71067d32abb2b5

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    699.6MB

    MD5

    50b098928a20c952b0071a525cbf9a54

    SHA1

    bf83150abf323a6bd5a026cb85f4eeaeb02b93af

    SHA256

    de4f3115ca927908af4a10579abb41e8da26bf65843f926501a8d03ddb2dfa91

    SHA512

    a8f8c92c9b076a7e88dff762cb86867cef78027e9d77ecee71be94c1d01da1337646c74c0f0168103add201f7fd8d09aebd1a463db26bc720396723f5b033b91

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    661.1MB

    MD5

    3af905c6eb7ce7f9033079d6b185ab20

    SHA1

    f965a7859137e561e8cd900576751b604b06c42f

    SHA256

    d4927adc3d481f0768f763a2ad990e4fd8fb77f1fa7702ebaf10702cd6e80805

    SHA512

    885ceea9d38ec1944a249b69147bfe1331ca178fc87d2307412d0725095c0ef484e847241a59c25923264773b8a5c617635041310ef4801646acb58c3b97c3a0

    Download Submit