Overview

overview

10

Static

static

3

conhost.exe

windows7-x64

10

conhost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2023 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    conhost.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1968

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    648.2MB

    MD5

    4d6bbe786c0a5789dd95410b4daf8cca

    SHA1

    2b2da89137f9b6d885d2200012b7ab72b2abacf3

    SHA256

    250d043236ad39957df6c5255ec2a031f1afc3f560260152925301ea9fa06155

    SHA512

    04111b898f592dfa895120b87caed2e8f59b4d9c4c789d0f619613281f22fdc227b173059011869cd92cd4688a8005a96e69c81d29a0a06a30056eb53861cf25

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    589.4MB

    MD5

    e1ff4caee6c80e4f74f6e329e51f8cc3

    SHA1

    061e3becb2af8617c07a8d909b54433cc1c88da6

    SHA256

    0a076b79676ccf1f5680c478a1e121b9b447f3f17b879f3436a3b29143306756

    SHA512

    42cf018653f654b4fc2a1efe1322a5776c5afff7941b02596de01b581cec5dcc53b937a1b9e6ccbf7fafe3fe967eb084cba2a76789b70f7f4794289c6f967592

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    618.8MB

    MD5

    55e0708e1ca71eca406dcf42d7487ec4

    SHA1

    89ccfbe349e0ae4d26fe405c78fa43410ef42065

    SHA256

    f28b1d740caaf71761c37b9ea975d1b88ae76391f41f66dc19ecf3a003c42903

    SHA512

    8d133ca5ff1715fc8dcfa894251399b3032259e02ae413904a8c59e952d1b1a2c5096ddf020c711ad470e75cf4d3ae3c98aa52154aad9c3360421d669526f551

    Download Submit