laplas | dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049

Analysis

max time kernel
125s
max time network
129s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 10:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

05d2607674b12556392ad7d31c498bb2
SHA1

6a30c01505a666f109502e563df48287fc68af7b
SHA256

dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049
SHA512

4f9019a34c89cc49b29ae808e272a5acb5e6bb18b4369cf826cc2ce46b41586418494ad535ef7d95408c86ff468457bb5227db619b0c64381172b3eecb77f549
SSDEEP

6144:vhMIAaYKyQdiU+oboLaSORJ3k5QH2rCfdOrAOGLNf9C42PVWI/L6VGuXZ:vhMvaYTQdiU+oboLLuiELNOPVWIzmfZ

Score

10^/10

laplas redline 2 clipper infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

95.216.249.153:81

Attributes

auth_value
101013a5e99e0857595aae297a11351d

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1904	Upshot_o.exe
1860	ajetr2fx.exe

Loads dropped DLL 7 IoCs

pid	Process
2040	RegSvcs.exe
2040	RegSvcs.exe
2040	RegSvcs.exe
2040	RegSvcs.exe
1644	WerFault.exe
1644	WerFault.exe
1644	WerFault.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1304 set thread context of 2040	1304	file.exe	28
PID 1860 set thread context of 1896	1860	ajetr2fx.exe	35

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1932	1304	WerFault.exe	26
1644	1860	WerFault.exe	33

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	RegSvcs.exe
2040	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	RegSvcs.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2040	1304	file.exe	28
PID 1304 wrote to memory of 2040	1304	file.exe	28
PID 1304 wrote to memory of 2040	1304	file.exe	28
PID 1304 wrote to memory of 2040	1304	file.exe	28
PID 1304 wrote to memory of 2040	1304	file.exe	28
PID 1304 wrote to memory of 2040	1304	file.exe	28
PID 1304 wrote to memory of 2040	1304	file.exe	28
PID 1304 wrote to memory of 2040	1304	file.exe	28
PID 1304 wrote to memory of 2040	1304	file.exe	28
PID 1304 wrote to memory of 1932	1304	file.exe	29
PID 1304 wrote to memory of 1932	1304	file.exe	29
PID 1304 wrote to memory of 1932	1304	file.exe	29
PID 1304 wrote to memory of 1932	1304	file.exe	29
PID 2040 wrote to memory of 1904	2040	RegSvcs.exe	31
PID 2040 wrote to memory of 1904	2040	RegSvcs.exe	31
PID 2040 wrote to memory of 1904	2040	RegSvcs.exe	31
PID 2040 wrote to memory of 1904	2040	RegSvcs.exe	31
PID 2040 wrote to memory of 1860	2040	RegSvcs.exe	33
PID 2040 wrote to memory of 1860	2040	RegSvcs.exe	33
PID 2040 wrote to memory of 1860	2040	RegSvcs.exe	33
PID 2040 wrote to memory of 1860	2040	RegSvcs.exe	33
PID 1860 wrote to memory of 1896	1860	ajetr2fx.exe	35
PID 1860 wrote to memory of 1896	1860	ajetr2fx.exe	35
PID 1860 wrote to memory of 1896	1860	ajetr2fx.exe	35
PID 1860 wrote to memory of 1896	1860	ajetr2fx.exe	35
PID 1860 wrote to memory of 1896	1860	ajetr2fx.exe	35
PID 1860 wrote to memory of 1896	1860	ajetr2fx.exe	35
PID 1860 wrote to memory of 1896	1860	ajetr2fx.exe	35
PID 1860 wrote to memory of 1896	1860	ajetr2fx.exe	35
PID 1860 wrote to memory of 1896	1860	ajetr2fx.exe	35
PID 1860 wrote to memory of 1644	1860	ajetr2fx.exe	36
PID 1860 wrote to memory of 1644	1860	ajetr2fx.exe	36
PID 1860 wrote to memory of 1644	1860	ajetr2fx.exe	36
PID 1860 wrote to memory of 1644	1860	ajetr2fx.exe	36

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\Upshot_o.exe
    "C:\Users\Admin\AppData\Local\Temp\Upshot_o.exe"
    3⤵
    - Executes dropped EXE
    PID:1904
- - C:\Users\Admin\AppData\Local\Temp\ajetr2fx.exe
    "C:\Users\Admin\AppData\Local\Temp\ajetr2fx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 48
      4⤵
      Loads dropped DLL
      Program crash
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\Doej4oa.exe
    "C:\Users\Admin\AppData\Local\Temp\Doej4oa.exe"
    3⤵
    PID:1580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 48
  2⤵
  - Program crash
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d64ddfbd72de15fd952d1c323e794ba

SHA1
8b7927dd265c0333602ef2c82535df65eeef1ec6

SHA256
4e3e02aa443f460ebce6a973e3f66bbc33a23ba450f8e26527482294b39cddda

SHA512
2791456c64507087b78c859dac7fa0d776632a1e8c9943606981ca438be016c8946a199a0e811dc95fe6b47121ff45aac336cdc04c9323ef3a3f981cc43b6593

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEC93.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Doej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Doej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Doej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE4F.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upshot_o.exe

Filesize
6.5MB

MD5
583336f1531f78ffc2cc8ef84da256e1

SHA1
a4cb0c4123c5bb8abd45d8d320c44782d4de3e33

SHA256
0218aabfe9a1a51116ff85ce7bbba907ded9ca015d23fe2e8e494d695ab9f411

SHA512
f1daa8357a6995fe5be8394d54350df4be9494319261fbb80bd812e9b2c9cecf4c3810d29f872a2f37bd186c2574526155dfd3ea75f5499a03ed8e9df37524e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upshot_o.exe

Filesize
6.5MB

MD5
583336f1531f78ffc2cc8ef84da256e1

SHA1
a4cb0c4123c5bb8abd45d8d320c44782d4de3e33

SHA256
0218aabfe9a1a51116ff85ce7bbba907ded9ca015d23fe2e8e494d695ab9f411

SHA512
f1daa8357a6995fe5be8394d54350df4be9494319261fbb80bd812e9b2c9cecf4c3810d29f872a2f37bd186c2574526155dfd3ea75f5499a03ed8e9df37524e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajetr2fx.exe

Filesize
3.4MB

MD5
3d1c5a5c3b3519d8c218a7d6a7ec6338

SHA1
0793c4ea75b2412bbde9e11578c5f4c843c40d34

SHA256
0090df94f66f8f795143b91f46ffd11314e9fb3735f63b28b8724f819beb5296

SHA512
398db451d6b6b3f28e92ffa295c45ed927f127271b5ee90b643d41ee64d42fe9d8478b2225ee3bce589a0c057db6e57c57a366e008a79ae76135005dc6351348

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajetr2fx.exe

Filesize
3.4MB

MD5
3d1c5a5c3b3519d8c218a7d6a7ec6338

SHA1
0793c4ea75b2412bbde9e11578c5f4c843c40d34

SHA256
0090df94f66f8f795143b91f46ffd11314e9fb3735f63b28b8724f819beb5296

SHA512
398db451d6b6b3f28e92ffa295c45ed927f127271b5ee90b643d41ee64d42fe9d8478b2225ee3bce589a0c057db6e57c57a366e008a79ae76135005dc6351348

Download Submit
\Users\Admin\AppData\Local\Temp\Doej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
\Users\Admin\AppData\Local\Temp\Doej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
\Users\Admin\AppData\Local\Temp\Upshot_o.exe

Filesize
6.5MB

MD5
583336f1531f78ffc2cc8ef84da256e1

SHA1
a4cb0c4123c5bb8abd45d8d320c44782d4de3e33

SHA256
0218aabfe9a1a51116ff85ce7bbba907ded9ca015d23fe2e8e494d695ab9f411

SHA512
f1daa8357a6995fe5be8394d54350df4be9494319261fbb80bd812e9b2c9cecf4c3810d29f872a2f37bd186c2574526155dfd3ea75f5499a03ed8e9df37524e8

Download Submit
\Users\Admin\AppData\Local\Temp\Upshot_o.exe

Filesize
6.5MB

MD5
583336f1531f78ffc2cc8ef84da256e1

SHA1
a4cb0c4123c5bb8abd45d8d320c44782d4de3e33

SHA256
0218aabfe9a1a51116ff85ce7bbba907ded9ca015d23fe2e8e494d695ab9f411

SHA512
f1daa8357a6995fe5be8394d54350df4be9494319261fbb80bd812e9b2c9cecf4c3810d29f872a2f37bd186c2574526155dfd3ea75f5499a03ed8e9df37524e8

Download Submit
\Users\Admin\AppData\Local\Temp\ajetr2fx.exe

Filesize
3.4MB

MD5
3d1c5a5c3b3519d8c218a7d6a7ec6338

SHA1
0793c4ea75b2412bbde9e11578c5f4c843c40d34

SHA256
0090df94f66f8f795143b91f46ffd11314e9fb3735f63b28b8724f819beb5296

SHA512
398db451d6b6b3f28e92ffa295c45ed927f127271b5ee90b643d41ee64d42fe9d8478b2225ee3bce589a0c057db6e57c57a366e008a79ae76135005dc6351348

Download Submit
\Users\Admin\AppData\Local\Temp\ajetr2fx.exe

Filesize
3.4MB

MD5
3d1c5a5c3b3519d8c218a7d6a7ec6338

SHA1
0793c4ea75b2412bbde9e11578c5f4c843c40d34

SHA256
0090df94f66f8f795143b91f46ffd11314e9fb3735f63b28b8724f819beb5296

SHA512
398db451d6b6b3f28e92ffa295c45ed927f127271b5ee90b643d41ee64d42fe9d8478b2225ee3bce589a0c057db6e57c57a366e008a79ae76135005dc6351348

Download Submit
\Users\Admin\AppData\Local\Temp\ajetr2fx.exe

Filesize
3.4MB

MD5
3d1c5a5c3b3519d8c218a7d6a7ec6338

SHA1
0793c4ea75b2412bbde9e11578c5f4c843c40d34

SHA256
0090df94f66f8f795143b91f46ffd11314e9fb3735f63b28b8724f819beb5296

SHA512
398db451d6b6b3f28e92ffa295c45ed927f127271b5ee90b643d41ee64d42fe9d8478b2225ee3bce589a0c057db6e57c57a366e008a79ae76135005dc6351348

Download Submit
\Users\Admin\AppData\Local\Temp\ajetr2fx.exe

Filesize
3.4MB

MD5
3d1c5a5c3b3519d8c218a7d6a7ec6338

SHA1
0793c4ea75b2412bbde9e11578c5f4c843c40d34

SHA256
0090df94f66f8f795143b91f46ffd11314e9fb3735f63b28b8724f819beb5296

SHA512
398db451d6b6b3f28e92ffa295c45ed927f127271b5ee90b643d41ee64d42fe9d8478b2225ee3bce589a0c057db6e57c57a366e008a79ae76135005dc6351348

Download Submit
\Users\Admin\AppData\Local\Temp\ajetr2fx.exe

Filesize
3.4MB

MD5
3d1c5a5c3b3519d8c218a7d6a7ec6338

SHA1
0793c4ea75b2412bbde9e11578c5f4c843c40d34

SHA256
0090df94f66f8f795143b91f46ffd11314e9fb3735f63b28b8724f819beb5296

SHA512
398db451d6b6b3f28e92ffa295c45ed927f127271b5ee90b643d41ee64d42fe9d8478b2225ee3bce589a0c057db6e57c57a366e008a79ae76135005dc6351348

Download Submit
memory/1896-181-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1896-176-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1896-153-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1896-154-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1896-171-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1896-178-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1896-179-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1904-141-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1904-143-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1904-142-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2040-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2040-64-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2040-63-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2040-62-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2040-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2040-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2040-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download