Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2023 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    3.4MB

  • MD5

    50859caa45e9d02823ae55b69fd7b645

  • SHA1

    aec25ed88cd00fd12a18ca2714d68e33c7fd57c3

  • SHA256

    8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554

  • SHA512

    78df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767

  • SSDEEP

    98304:nImo45lwBzz4/B00uUYiGjHMnhNRUQrqXjWJd:nFnG/4/cz4n7RbryS

Score
10/10
laplasclipperevasionpersistencestealertrojan

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    830.4MB

    MD5

    c29194c660057404e1d381f7a18a9275

    SHA1

    306e7458bef397582046f35473b2043510238374

    SHA256

    e1b8dc7dbb405613212bf2ac1868ffdaeb58fd56fa2da4d7746ca2746e678cfa

    SHA512

    bf33b5dd0ae9e337df51389df4b2ee332d18b3293c6a4f4c2e49ea49dfb6b717b1c814436461080e12203ef95063b8f748f95fbbf9fbf09e204d7837e5ac6a94

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    830.4MB

    MD5

    c29194c660057404e1d381f7a18a9275

    SHA1

    306e7458bef397582046f35473b2043510238374

    SHA256

    e1b8dc7dbb405613212bf2ac1868ffdaeb58fd56fa2da4d7746ca2746e678cfa

    SHA512

    bf33b5dd0ae9e337df51389df4b2ee332d18b3293c6a4f4c2e49ea49dfb6b717b1c814436461080e12203ef95063b8f748f95fbbf9fbf09e204d7837e5ac6a94

    Download Submit

  • memory/372-133-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/372-134-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/372-135-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/372-136-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/372-137-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/372-138-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/372-139-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/372-140-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/372-142-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/372-145-0x0000000000E10000-0x0000000001608000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-151-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-158-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-149-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-150-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-147-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-152-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-153-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-154-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-155-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-156-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-157-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-148-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-160-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-161-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-162-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-163-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-164-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-165-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-166-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-167-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-168-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-169-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/5108-170-0x00000000005F0000-0x0000000000DE8000-memory.dmp

    Filesize

    8.0MB

    Download