Overview

overview

10

Static

static

3

conhost.exe

windows7-x64

10

conhost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2023 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    conhost.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    805.0MB

    MD5

    51a067b6cbe1d9d8f78bb60f8d37a468

    SHA1

    09e1e33d9eb627246ee21e793d0e0c1d1d24e076

    SHA256

    8b67da4465154813ecc2821aee5f04dbe8d8807dce1571d93b117e85a5cba4af

    SHA512

    55447999894672f42b40bad5fbeda569af4daf6836561af49d9173db987d2019480cd948b85478d6706d1c4d159b8f422a3943e95737867b2c8b65250b8faca4

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    717.6MB

    MD5

    88a4be7fca3c67e34f4c9f7ea444d23e

    SHA1

    188d6306a9a874bc993fcf587cec23a7284cf3aa

    SHA256

    23879e2a8f37f1a545f6211db6ab9da8959c9a9c5ec4ab351d01927e3ea0d251

    SHA512

    e7453b482326f2db47fdd4b754fb8f53da06e0cb281a9cf5a8d6194453d270bab972aeadf8514bc1056b7d99a63ac071185d6f5cf125dad797837354cd2dd698

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    698.8MB

    MD5

    084d0bb3263a3d44637975a9bb7a4260

    SHA1

    a0e94230c6ea46d81ed64890dd5681b7449ba798

    SHA256

    fe64ea6c7e8f5219975bf7969671f244de5a6591a3b5b890600d3e359b3d5629

    SHA512

    191f4c67dfde8181a4bf3522cd4cdbefbc7e4c7d44ab6c22d51175ff0ce0335802e3f1090d8bd8f1f1ad8a6bf969a76e1f28c6572f8e15fa67a5d00036916804

    Download Submit