Overview

overview

10

Static

static

10

68be007bd3...70.exe

windows7-x64

10

68be007bd3...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2023 05:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68be007bd3fa09d26fcee584a9157770.exe

  • Size

    3.8MB

  • MD5

    68be007bd3fa09d26fcee584a9157770

  • SHA1

    6f191c0587c8055f26367f25ce0f7787ca272714

  • SHA256

    71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

  • SHA512

    f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

  • SSDEEP

    49152:VeCseICR7NWm8qpHakXvLQh0/50OicF5pDRXxRv0VF14L:VeCrXv0W/tpDRX5L

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68be007bd3fa09d26fcee584a9157770.exe
    "C:\Users\Admin\AppData\Local\Temp\68be007bd3fa09d26fcee584a9157770.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1996

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    522.4MB

    MD5

    33012965bae0c68545e343a668415a79

    SHA1

    18877e7d2f3222f0665b997824de9633940a1cc4

    SHA256

    62e36d8ff555b3cfc2f2b5e03b157115234f1a94508561fb0910d117902d3288

    SHA512

    7de749cdf05533a51e79255261264023b1ced9dfa7e351d0b6adf66fe1564db5ed7141c173fef6695f5fa8264aec49dbf90669664f3d07fd523a1e1812bb7237

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    529.9MB

    MD5

    eebe83f3c53beb4955a3f7c1577a03cb

    SHA1

    365aec3f30db511b2e1e2e11de66c3d443852ac3

    SHA256

    09936684b6cd7071b643be4aca8b218d76e91a0ff3ea08c0b0e179fa15e5dc91

    SHA512

    da04e536ab5d372bccac3dc2c1ba24fc7293cf573409b690371278ce5fe6cfcc8f753cc81932ce63d7dd88e36b9ba4b1da9775900c0b86b2c477460a72bdd487

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    333.9MB

    MD5

    91de60ebe285f005e808caf9e4d72383

    SHA1

    8ca415bc7847b5ca721c643442ce8cbcf6c98913

    SHA256

    884e187d6cb3522f4ee53bbe5d37ee6f942b721ce7550b5ee0b8e028f69730b1

    SHA512

    70767358c00a0832757c359c07ca6808b8ae89fa370e381321988a09907034dc97ee0a0188d72c22360adc4fa9f9345ea6e17104436f9cae0bb6ee9424203b3f

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    473.6MB

    MD5

    1c3b02018d0a654d52070aca4c0cafd6

    SHA1

    eab34947bbda959ef6086f579613e9cab5355283

    SHA256

    399df1cc7063e5e0ee5a7ed369c8cf2d1606c0876ed16ccfd4574067698f68f1

    SHA512

    d7c11d5a54c4e1c2241e905d39f91dcc70cc78bca1f9c4e9a7d74d150dcaa71d93f1f9532fd33d30c840344f2d111f6df4e28145112b27bd0cadb68a4aa6f2aa

    Download Submit