laplas | 69f24003a768ac6451b4bac285475486d27c39723f474e3b8a19c61ceb732838

Analysis

max time kernel
145s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f0e8a9d61be8b596b4be752965295ad.exe
Size

1.1MB
MD5

3f0e8a9d61be8b596b4be752965295ad
SHA1

23399af014c60bcd53af9591a6bb80bc09772139
SHA256

69f24003a768ac6451b4bac285475486d27c39723f474e3b8a19c61ceb732838
SHA512

340137d0b76a523dc680847f656048f02545a306d5fac927fd53bfe41e07ab0fea893a821e45344e2ade31d078ec6cd1cff4a6398e09321037973df703fcd8e7
SSDEEP

6144:Tuo1XQlPoSlw4524UcL/LHh5Z8Z0AOkGZKWklMdGwuss4tjS0G+zLT1YS:TXX4flh524UOyKKWklMdGOtjasBY

Score

10^/10

laplas redline systembc 1 clipper infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

95.216.249.153:81

Attributes

auth_value
a290efd4796d37556cc5af7e83c91346

Extracted

Family

systembc

5.42.95.122:4308

194.87.111.29:4308

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1720	LengthLong64.exe
3496	LengthLong32.exe
3748	LengthLong32x.exe
6316	ntlhost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	LengthLong32x.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 324	2084	3f0e8a9d61be8b596b4be752965295ad.exe	84
PID 3496 set thread context of 4192	3496	LengthLong32.exe	98
PID 1720 set thread context of 3284	1720	LengthLong64.exe	103

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4620	2084	WerFault.exe	82
4804	3496	WerFault.exe	96
4424	1720	WerFault.exe	94

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	83	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
324	RegSvcs.exe
324	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	RegSvcs.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 324	2084	3f0e8a9d61be8b596b4be752965295ad.exe	84
PID 2084 wrote to memory of 324	2084	3f0e8a9d61be8b596b4be752965295ad.exe	84
PID 2084 wrote to memory of 324	2084	3f0e8a9d61be8b596b4be752965295ad.exe	84
PID 2084 wrote to memory of 324	2084	3f0e8a9d61be8b596b4be752965295ad.exe	84
PID 2084 wrote to memory of 324	2084	3f0e8a9d61be8b596b4be752965295ad.exe	84
PID 324 wrote to memory of 1720	324	RegSvcs.exe	94
PID 324 wrote to memory of 1720	324	RegSvcs.exe	94
PID 324 wrote to memory of 1720	324	RegSvcs.exe	94
PID 324 wrote to memory of 3496	324	RegSvcs.exe	96
PID 324 wrote to memory of 3496	324	RegSvcs.exe	96
PID 324 wrote to memory of 3496	324	RegSvcs.exe	96
PID 3496 wrote to memory of 4192	3496	LengthLong32.exe	98
PID 3496 wrote to memory of 4192	3496	LengthLong32.exe	98
PID 3496 wrote to memory of 4192	3496	LengthLong32.exe	98
PID 3496 wrote to memory of 4192	3496	LengthLong32.exe	98
PID 324 wrote to memory of 3748	324	RegSvcs.exe	99
PID 324 wrote to memory of 3748	324	RegSvcs.exe	99
PID 324 wrote to memory of 3748	324	RegSvcs.exe	99
PID 3496 wrote to memory of 4192	3496	LengthLong32.exe	98
PID 1720 wrote to memory of 3284	1720	LengthLong64.exe	103
PID 1720 wrote to memory of 3284	1720	LengthLong64.exe	103
PID 1720 wrote to memory of 3284	1720	LengthLong64.exe	103
PID 1720 wrote to memory of 3284	1720	LengthLong64.exe	103
PID 1720 wrote to memory of 3284	1720	LengthLong64.exe	103
PID 3748 wrote to memory of 6316	3748	LengthLong32x.exe	107
PID 3748 wrote to memory of 6316	3748	LengthLong32x.exe	107
PID 3748 wrote to memory of 6316	3748	LengthLong32x.exe	107

C:\Users\Admin\AppData\Local\Temp\3f0e8a9d61be8b596b4be752965295ad.exe
"C:\Users\Admin\AppData\Local\Temp\3f0e8a9d61be8b596b4be752965295ad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe
    "C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:3284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 252
      4⤵
      Program crash
      PID:4424
- - C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe
    "C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 252
      4⤵
      Program crash
      PID:4804
- - C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe
    "C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:6316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 140
  2⤵
  - Program crash
  PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2084 -ip 2084
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3496 -ip 3496
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1720 -ip 1720
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe

Filesize
923KB

MD5
0c0827b80b8450ed442d0a5afbc1324c

SHA1
f212fc466d539f1b327e0f23269c4d2818e9bbfb

SHA256
96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a

SHA512
75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe

Filesize
923KB

MD5
0c0827b80b8450ed442d0a5afbc1324c

SHA1
f212fc466d539f1b327e0f23269c4d2818e9bbfb

SHA256
96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a

SHA512
75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe

Filesize
923KB

MD5
0c0827b80b8450ed442d0a5afbc1324c

SHA1
f212fc466d539f1b327e0f23269c4d2818e9bbfb

SHA256
96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a

SHA512
75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe

Filesize
3.4MB

MD5
ac27f58d41c18197d3eb0242610c6dbf

SHA1
505ed23652ea471cf1315f6eda6bd5729b87025e

SHA256
8af2872503e066bcf59ef6cfe86d77a54382420e9e731f8674103b7f414c9b84

SHA512
1386bf095925f7d37f125bc4ec1bd89f11b75ff87d49e42a7729aabf6f75bdbb380c687530330e92545434493ac34d1cb38da78b117765a35d1f1f0a10d50380

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe

Filesize
3.4MB

MD5
ac27f58d41c18197d3eb0242610c6dbf

SHA1
505ed23652ea471cf1315f6eda6bd5729b87025e

SHA256
8af2872503e066bcf59ef6cfe86d77a54382420e9e731f8674103b7f414c9b84

SHA512
1386bf095925f7d37f125bc4ec1bd89f11b75ff87d49e42a7729aabf6f75bdbb380c687530330e92545434493ac34d1cb38da78b117765a35d1f1f0a10d50380

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe

Filesize
3.4MB

MD5
ac27f58d41c18197d3eb0242610c6dbf

SHA1
505ed23652ea471cf1315f6eda6bd5729b87025e

SHA256
8af2872503e066bcf59ef6cfe86d77a54382420e9e731f8674103b7f414c9b84

SHA512
1386bf095925f7d37f125bc4ec1bd89f11b75ff87d49e42a7729aabf6f75bdbb380c687530330e92545434493ac34d1cb38da78b117765a35d1f1f0a10d50380

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
242.2MB

MD5
77cfc44272a948756d499af5601c142d

SHA1
b1d39eb6dcd8a50a67dac17670822988bc352795

SHA256
fe4134aaea29a6378ed50c34fc1802758f3c9220e6f9185ee4de20777a0f0950

SHA512
67a01a3094bd01deee67c4c94675a5f787242cde698ab7b0f35dcad1e5f46c22be6cb27caec680576a86d2634fd911318bff4d5aef62942552a9200b458adef7

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
238.4MB

MD5
e977b149c175e0ae0d7eb36841c21f00

SHA1
dfa5e0880e6df74f497e5e66b3af3418e3d430fb

SHA256
8dbfbe0e34b2551946ef30ca736a68dc7e94355f3b0c9c563bed5585355f8786

SHA512
a1c98c82f0fbc64975dd973dfe1f080000d7303094dbc7d941b6fe01be05c197947a34cbbf113a7e93ff39de110a00854d6eda0b18423622e49be17e18556ef3

Download Submit
memory/324-145-0x000000000BEF0000-0x000000000C494000-memory.dmp

Filesize
5.6MB

Download
memory/324-141-0x000000000A590000-0x000000000A5CC000-memory.dmp

Filesize
240KB

Download
memory/324-150-0x000000000D580000-0x000000000DAAC000-memory.dmp

Filesize
5.2MB

Download
memory/324-148-0x000000000C670000-0x000000000C832000-memory.dmp

Filesize
1.8MB

Download
memory/324-147-0x000000000BE90000-0x000000000BEE0000-memory.dmp

Filesize
320KB

Download
memory/324-146-0x000000000B9F0000-0x000000000BA56000-memory.dmp

Filesize
408KB

Download
memory/324-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/324-144-0x000000000A9C0000-0x000000000AA52000-memory.dmp

Filesize
584KB

Download
memory/324-143-0x000000000A8A0000-0x000000000A916000-memory.dmp

Filesize
472KB

Download
memory/324-138-0x000000000AAE0000-0x000000000B0F8000-memory.dmp

Filesize
6.1MB

Download
memory/324-142-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/324-149-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/324-140-0x000000000A530000-0x000000000A542000-memory.dmp

Filesize
72KB

Download
memory/324-139-0x000000000A5F0000-0x000000000A6FA000-memory.dmp

Filesize
1.0MB

Download
memory/3284-184-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3284-203-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3284-204-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3284-205-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3284-207-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4192-183-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4192-181-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4192-170-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download