Overview

overview

10

Static

static

3

ccf4763882...a9.exe

windows7-x64

10

ccf4763882...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2023 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccf4763882256111f713d881ad7d9aa9.exe

  • Size

    3.7MB

  • MD5

    ccf4763882256111f713d881ad7d9aa9

  • SHA1

    507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

  • SHA256

    59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

  • SHA512

    53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

  • SSDEEP

    98304:o+bU8AtKpng3RiQT0Q9zc7J7MRNCwZMGzcf+UctPK0:o+bUVtKxg3RiQ7z0J7MuwDzcGUck

Score
10/10
laplasclipperevasionpersistencestealertrojan

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccf4763882256111f713d881ad7d9aa9.exe
    "C:\Users\Admin\AppData\Local\Temp\ccf4763882256111f713d881ad7d9aa9.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    725.7MB

    MD5

    875d35a2b7877a838d061887b226cd23

    SHA1

    3d8574ca6f15bc89791781ffe5ebefe3b264272a

    SHA256

    c6053e71aade964c263a7314852abb783be7a07098ca7967bdd783d942d7c249

    SHA512

    b362e27a97baec251c101a749b4c9d8ed46776415043afe1b924d238ffe36e0b6e6c8213461051e26b5fbebd058ab9c27f8484e92e699be360291099b7100b15

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    725.7MB

    MD5

    875d35a2b7877a838d061887b226cd23

    SHA1

    3d8574ca6f15bc89791781ffe5ebefe3b264272a

    SHA256

    c6053e71aade964c263a7314852abb783be7a07098ca7967bdd783d942d7c249

    SHA512

    b362e27a97baec251c101a749b4c9d8ed46776415043afe1b924d238ffe36e0b6e6c8213461051e26b5fbebd058ab9c27f8484e92e699be360291099b7100b15

    Download Submit

  • memory/676-72-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-82-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-73-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-89-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-88-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-87-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-86-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-85-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-84-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-67-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-68-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-69-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-70-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-71-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-83-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-90-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-74-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-75-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-76-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-77-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-78-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/676-79-0x0000000000C90000-0x00000000014DC000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1536-57-0x0000000000120000-0x000000000096C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1536-59-0x0000000000120000-0x000000000096C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1536-66-0x0000000000120000-0x000000000096C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1536-55-0x0000000000120000-0x000000000096C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1536-56-0x0000000000120000-0x000000000096C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1536-61-0x0000000000120000-0x000000000096C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1536-60-0x0000000000120000-0x000000000096C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1536-58-0x0000000000120000-0x000000000096C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1536-54-0x0000000000120000-0x000000000096C000-memory.dmp

    Filesize

    8.3MB

    Download