Overview

overview

10

Static

static

3

conhost.exe

windows7-x64

10

conhost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2023 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    conhost.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    705.4MB

    MD5

    c802cd2baebd07ac1b28ad5bd317a32c

    SHA1

    eba5d2fab1746cfa5eeb49720887336f0a8dc6a8

    SHA256

    6eb6d03dd9170ab1bf0ea21ed7d5382dba982e967ff7873bd8cb71a5e43167b3

    SHA512

    100264573e68ec2580f4426683b85f9307564f527cec3d4ac0b90831db2ff700c2cd918118d78602aef9d4ce5b696fb567c7294e8fe20defef6c0c21a36f7fe3

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    694.8MB

    MD5

    c557b6ae700143441648b713c3c770e1

    SHA1

    ccbcb0f7a15c94fdf104ef3eaf09453010e8efbc

    SHA256

    024f1ddd9913f0c30a7196d3ee98d2844da3816655fe75c7b0a9f5022097f363

    SHA512

    9e8ffd2049c302fedcce8b88598c529ec1611cc803d292e011fed4fe4363239492dd60fb8c1a7d6a3222b6bc0425c65e780bf8eb3cc5274e706cd37fa27a79a4

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    683.7MB

    MD5

    d1ea92a4fd901cbaf8ed5f20d75ffe49

    SHA1

    fe544c16f67b7515e6cd38a5893bf7275e71e2e2

    SHA256

    56666ca4704c550e6f764bf97e146539a816028f719fa3d4a8e04f794e2b3843

    SHA512

    26e28f66d41979d6dc6e266e62a7ca0bad4e882df0f1d311caa57ce4935c8dfd89733861f8267088b4f56ac38fbea3be605adfa7890ffecd67b6f3f14198980b

    Download Submit