Overview

overview

10

Static

static

10

0x00070000...65.exe

windows7-x64

10

0x00070000...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2023 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x000700000001398a-165.exe

  • Size

    3.8MB

  • MD5

    68be007bd3fa09d26fcee584a9157770

  • SHA1

    6f191c0587c8055f26367f25ce0f7787ca272714

  • SHA256

    71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

  • SHA512

    f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

  • SSDEEP

    49152:VeCseICR7NWm8qpHakXvLQh0/50OicF5pDRXxRv0VF14L:VeCrXv0W/tpDRX5L

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000700000001398a-165.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000700000001398a-165.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:324

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    393.8MB

    MD5

    e1a34feca00de486fe76f78802b23b47

    SHA1

    fe848a3e2ffd36b5e30c29bbf487b1f59a74c1c1

    SHA256

    27f504c440ab0a4153b76c4dd6442f5e22fc0e6dd1cd91aa501c2673de5273ae

    SHA512

    1d5f4f0c4996358492ac24fce34baee61f20d1674c6dfa351326c026deff08d5059df913fc89ababccc9620791222d382b9d946d4b20a079bf8540530665c465

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    540.6MB

    MD5

    bc5b8a48954a9f9700415fcdad0c02d3

    SHA1

    79083b19b5a8320968a24887a0d04853d27f12df

    SHA256

    08f8c3bca14632c4ec587729ba4eb688cbfbde746440852ecbb0135aa57c48f4

    SHA512

    8b98b1745e1061c584410aa320d8f576ddc76eb108fa2ad28710602ba1553abf954dce87141dad5db839c0f760a0bd2ec071d8a9ec19361cfcfc0aa119620f68

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    362.8MB

    MD5

    44deba0fabfa0f97e653811d634037be

    SHA1

    e65ab7c8b00f2cb92cf5f84882c998f018aa1356

    SHA256

    d20b92767131db665f1f060e8f5c0bf7958b8848bfa6945dd1d4b37619635a3f

    SHA512

    4d32db6a4501fd22ac0e0a2624d1170f840724af6eae3b31a7521cedf13f5eedd188c5b1eca8c93052ad704f61ea79cff86ac913c30a9e7ab2adc209908599ed

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    591.0MB

    MD5

    420189b44d9121d73539b4c1032f9296

    SHA1

    1177f6de6768a9b0bd9812f87089c755850b73a5

    SHA256

    e77f674bfdd0778c5b3d8633db493f68cc540872b300db68e4ece6cbae701622

    SHA512

    64bf969c292d6dc34505101c6eb6041e4d472aaa4fd7599d4ec1ea1193cd23e873c5f68e9dd700330638c26b57e866987ada46960481116955a5ec1203171ef0

    Download Submit