laplas | 69f24003a768ac6451b4bac285475486d27c39723f474e3b8a19c61ceb732838

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f0e8a9d61be8b596b4be752965295ad.exe
Size

1.1MB
MD5

3f0e8a9d61be8b596b4be752965295ad
SHA1

23399af014c60bcd53af9591a6bb80bc09772139
SHA256

69f24003a768ac6451b4bac285475486d27c39723f474e3b8a19c61ceb732838
SHA512

340137d0b76a523dc680847f656048f02545a306d5fac927fd53bfe41e07ab0fea893a821e45344e2ade31d078ec6cd1cff4a6398e09321037973df703fcd8e7
SSDEEP

6144:Tuo1XQlPoSlw4524UcL/LHh5Z8Z0AOkGZKWklMdGwuss4tjS0G+zLT1YS:TXX4flh524UOyKKWklMdGOtjasBY

Score

10^/10

laplas redline systembc 1 clipper infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

95.216.249.153:81

Attributes

auth_value
a290efd4796d37556cc5af7e83c91346

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

systembc

5.42.95.122:4308

194.87.111.29:4308

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

LengthLong64.exeLengthLong32.exeLengthLong32x.exentlhost.exe

pid process

4396 LengthLong64.exe
4112 LengthLong32.exe
5012 LengthLong32x.exe
6972 ntlhost.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4396	LengthLong64.exe
4112	LengthLong32.exe
5012	LengthLong32x.exe
6972	ntlhost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exeLengthLong32x.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe'\""	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	LengthLong32x.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

3f0e8a9d61be8b596b4be752965295ad.exeLengthLong32.exeLengthLong64.exe

description	pid	process	target process
PID 5068 set thread context of 4276	5068	3f0e8a9d61be8b596b4be752965295ad.exe	RegSvcs.exe
PID 4112 set thread context of 4868	4112	LengthLong32.exe	RegSvcs.exe
PID 4396 set thread context of 936	4396	LengthLong64.exe	RegSvcs.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
116	5068	WerFault.exe	3f0e8a9d61be8b596b4be752965295ad.exe
4448	4112	WerFault.exe	LengthLong32.exe
3036	4396	WerFault.exe	LengthLong64.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 60 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

4276 RegSvcs.exe
4276 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4276 RegSvcs.exe

description	flow	ioc
HTTP User-Agent header	60	Go-http-client/1.1

pid	process
4276	RegSvcs.exe
4276	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4276	RegSvcs.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

3f0e8a9d61be8b596b4be752965295ad.exeRegSvcs.exeLengthLong32.exeLengthLong64.exeLengthLong32x.exe

description	pid	process	target process
PID 5068 wrote to memory of 4276	5068	3f0e8a9d61be8b596b4be752965295ad.exe	RegSvcs.exe
PID 5068 wrote to memory of 4276	5068	3f0e8a9d61be8b596b4be752965295ad.exe	RegSvcs.exe
PID 5068 wrote to memory of 4276	5068	3f0e8a9d61be8b596b4be752965295ad.exe	RegSvcs.exe
PID 5068 wrote to memory of 4276	5068	3f0e8a9d61be8b596b4be752965295ad.exe	RegSvcs.exe
PID 5068 wrote to memory of 4276	5068	3f0e8a9d61be8b596b4be752965295ad.exe	RegSvcs.exe
PID 4276 wrote to memory of 4396	4276	RegSvcs.exe	LengthLong64.exe
PID 4276 wrote to memory of 4396	4276	RegSvcs.exe	LengthLong64.exe
PID 4276 wrote to memory of 4396	4276	RegSvcs.exe	LengthLong64.exe
PID 4276 wrote to memory of 4112	4276	RegSvcs.exe	LengthLong32.exe
PID 4276 wrote to memory of 4112	4276	RegSvcs.exe	LengthLong32.exe
PID 4276 wrote to memory of 4112	4276	RegSvcs.exe	LengthLong32.exe
PID 4276 wrote to memory of 5012	4276	RegSvcs.exe	LengthLong32x.exe
PID 4276 wrote to memory of 5012	4276	RegSvcs.exe	LengthLong32x.exe
PID 4276 wrote to memory of 5012	4276	RegSvcs.exe	LengthLong32x.exe
PID 4112 wrote to memory of 4868	4112	LengthLong32.exe	RegSvcs.exe
PID 4112 wrote to memory of 4868	4112	LengthLong32.exe	RegSvcs.exe
PID 4112 wrote to memory of 4868	4112	LengthLong32.exe	RegSvcs.exe
PID 4112 wrote to memory of 4868	4112	LengthLong32.exe	RegSvcs.exe
PID 4112 wrote to memory of 4868	4112	LengthLong32.exe	RegSvcs.exe
PID 4396 wrote to memory of 936	4396	LengthLong64.exe	RegSvcs.exe
PID 4396 wrote to memory of 936	4396	LengthLong64.exe	RegSvcs.exe
PID 4396 wrote to memory of 936	4396	LengthLong64.exe	RegSvcs.exe
PID 4396 wrote to memory of 936	4396	LengthLong64.exe	RegSvcs.exe
PID 4396 wrote to memory of 936	4396	LengthLong64.exe	RegSvcs.exe
PID 5012 wrote to memory of 6972	5012	LengthLong32x.exe	ntlhost.exe
PID 5012 wrote to memory of 6972	5012	LengthLong32x.exe	ntlhost.exe
PID 5012 wrote to memory of 6972	5012	LengthLong32x.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\3f0e8a9d61be8b596b4be752965295ad.exe
"C:\Users\Admin\AppData\Local\Temp\3f0e8a9d61be8b596b4be752965295ad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe
"C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 240
4⤵
- Program crash
PID:3036

C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe
"C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Adds Run key to start application
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 240
4⤵
- Program crash
PID:4448

C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe
"C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
4⤵
- Executes dropped EXE
PID:6972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 252
2⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5068 -ip 5068
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4112 -ip 4112
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4396 -ip 4396
1⤵
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe
Filesize
923KB

MD5
0c0827b80b8450ed442d0a5afbc1324c

SHA1
f212fc466d539f1b327e0f23269c4d2818e9bbfb

SHA256
96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a

SHA512
75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe
Filesize
923KB

MD5
0c0827b80b8450ed442d0a5afbc1324c

SHA1
f212fc466d539f1b327e0f23269c4d2818e9bbfb

SHA256
96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a

SHA512
75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32.exe
Filesize
923KB

MD5
0c0827b80b8450ed442d0a5afbc1324c

SHA1
f212fc466d539f1b327e0f23269c4d2818e9bbfb

SHA256
96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a

SHA512
75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe
Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe
Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong32x.exe
Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe
Filesize
3.4MB

MD5
ac27f58d41c18197d3eb0242610c6dbf

SHA1
505ed23652ea471cf1315f6eda6bd5729b87025e

SHA256
8af2872503e066bcf59ef6cfe86d77a54382420e9e731f8674103b7f414c9b84

SHA512
1386bf095925f7d37f125bc4ec1bd89f11b75ff87d49e42a7729aabf6f75bdbb380c687530330e92545434493ac34d1cb38da78b117765a35d1f1f0a10d50380

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe
Filesize
3.4MB

MD5
ac27f58d41c18197d3eb0242610c6dbf

SHA1
505ed23652ea471cf1315f6eda6bd5729b87025e

SHA256
8af2872503e066bcf59ef6cfe86d77a54382420e9e731f8674103b7f414c9b84

SHA512
1386bf095925f7d37f125bc4ec1bd89f11b75ff87d49e42a7729aabf6f75bdbb380c687530330e92545434493ac34d1cb38da78b117765a35d1f1f0a10d50380

Download Submit
C:\Users\Admin\AppData\Local\Temp\LengthLong64.exe
Filesize
3.4MB

MD5
ac27f58d41c18197d3eb0242610c6dbf

SHA1
505ed23652ea471cf1315f6eda6bd5729b87025e

SHA256
8af2872503e066bcf59ef6cfe86d77a54382420e9e731f8674103b7f414c9b84

SHA512
1386bf095925f7d37f125bc4ec1bd89f11b75ff87d49e42a7729aabf6f75bdbb380c687530330e92545434493ac34d1cb38da78b117765a35d1f1f0a10d50380

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
273.5MB

MD5
16ae3a0042157a35327770ee2bb49d19

SHA1
c132bd1382cb338d8df650fba3a7530e906d5451

SHA256
f88e332dec9e199bffa2634cd1620b90840005ff23a8a848e5936ac13d280426

SHA512
8d82dc668b2f86e1c9abac9cd4be9c51ab691b88961012cb0edb517e358ff377ecd3215730e3087d5915782de57a31eb0d8f297da8e8296828c1c980262da0c2

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
272.1MB

MD5
b920c1fd201eb0939ff4956d41c9c334

SHA1
1afa405194f69b876588dae586d8c3070c4dfb5f

SHA256
403f205dfe65a05ab8347c15479163ffac39f47b0fcdfe657860209d62f75689

SHA512
7c999c40e0c8c0ce32c26fb693a962693f4ab8cad6a0ece529883924f2c9cac7fe195f0ab5c1448add15805eb05f6516b1c7b0a52bb8d3924fc321b280b9261b

Download Submit
memory/936-205-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/936-203-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/936-184-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/936-204-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/936-207-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4276-145-0x00000000067B0000-0x0000000006D54000-memory.dmp

Filesize
5.6MB

Download
memory/4276-141-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

Filesize
240KB

Download
memory/4276-149-0x00000000065C0000-0x0000000006610000-memory.dmp

Filesize
320KB

Download
memory/4276-148-0x0000000008750000-0x0000000008C7C000-memory.dmp

Filesize
5.2MB

Download
memory/4276-147-0x0000000008050000-0x0000000008212000-memory.dmp

Filesize
1.8MB

Download
memory/4276-146-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/4276-133-0x0000000000570000-0x00000000005A0000-memory.dmp

Filesize
192KB

Download
memory/4276-138-0x00000000052F0000-0x0000000005908000-memory.dmp

Filesize
6.1MB

Download
memory/4276-139-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

Filesize
1.0MB

Download
memory/4276-140-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/4276-144-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/4276-143-0x0000000004FB0000-0x0000000005026000-memory.dmp

Filesize
472KB

Download
memory/4276-142-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4276-150-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4868-183-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4868-182-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4868-176-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download