Overview

overview

10

Static

static

10

0x00070000...65.exe

windows7-x64

10

0x00070000...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2023 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x000700000001398a-165.exe

  • Size

    3.8MB

  • MD5

    68be007bd3fa09d26fcee584a9157770

  • SHA1

    6f191c0587c8055f26367f25ce0f7787ca272714

  • SHA256

    71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

  • SHA512

    f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

  • SSDEEP

    49152:VeCseICR7NWm8qpHakXvLQh0/50OicF5pDRXxRv0VF14L:VeCrXv0W/tpDRX5L

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000700000001398a-165.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000700000001398a-165.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:4032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    715.8MB

    MD5

    d598a4430e419aa23716dfd0614da615

    SHA1

    dc9a184f784c219a1caf62b4a42dc6b235cb848f

    SHA256

    aaf31fbdf1114397f13e29aa628e850de4b5a72b08be8a1128b835ed1832d597

    SHA512

    6f6c6d73601e2e0da1e1ed24855703131e2ebab77b5e0699cb1d5183e77b5f34e52b2bce02e2188fb79f4ce92c24d3d19e868ba730baa8283f2d2ded4f5419b9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    715.8MB

    MD5

    d598a4430e419aa23716dfd0614da615

    SHA1

    dc9a184f784c219a1caf62b4a42dc6b235cb848f

    SHA256

    aaf31fbdf1114397f13e29aa628e850de4b5a72b08be8a1128b835ed1832d597

    SHA512

    6f6c6d73601e2e0da1e1ed24855703131e2ebab77b5e0699cb1d5183e77b5f34e52b2bce02e2188fb79f4ce92c24d3d19e868ba730baa8283f2d2ded4f5419b9

    Download Submit