laplas | db78b5b857378304d5d72a826a2f1e261a71791eda971bf952cbd8182bbc62bd

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2023 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

507a16cb87079ba90a8efe3a6baaa026.exe
Size

939KB
MD5

507a16cb87079ba90a8efe3a6baaa026
SHA1

b526a0a56488488f45d4277a9be5f3105806e0ad
SHA256

db78b5b857378304d5d72a826a2f1e261a71791eda971bf952cbd8182bbc62bd
SHA512

1193148b16891a5df52508366851c50379f05afed538882a4db5c65b345b1c1286d19de1c5f2adad09c411483fea9a6ea0038ffb624c03e42d752da27dda2b78
SSDEEP

6144:XmGoVjJhX8kQ/50Xi8wHi0I1GHXP3Or/c+rkGKZ:XXwX8kQBD8wHivGH/3Orc+rvKZ

Score

10^/10

laplas redline 1 clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

95.216.249.153:81

Attributes

auth_value
a290efd4796d37556cc5af7e83c91346

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1692	p5zl9bq82kjf7.exe
4608	Upshot_ox64.exe
3700	ClipperDoej4oa.exe
8860	ntlhost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	ClipperDoej4oa.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4996 set thread context of 944	4996	507a16cb87079ba90a8efe3a6baaa026.exe	85
PID 1692 set thread context of 412	1692	p5zl9bq82kjf7.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2568	4996	WerFault.exe	83
2220	1692	WerFault.exe	88

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	54	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
944	AppLaunch.exe
944	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 944	4996	507a16cb87079ba90a8efe3a6baaa026.exe	85
PID 4996 wrote to memory of 944	4996	507a16cb87079ba90a8efe3a6baaa026.exe	85
PID 4996 wrote to memory of 944	4996	507a16cb87079ba90a8efe3a6baaa026.exe	85
PID 4996 wrote to memory of 944	4996	507a16cb87079ba90a8efe3a6baaa026.exe	85
PID 4996 wrote to memory of 944	4996	507a16cb87079ba90a8efe3a6baaa026.exe	85
PID 944 wrote to memory of 1692	944	AppLaunch.exe	88
PID 944 wrote to memory of 1692	944	AppLaunch.exe	88
PID 944 wrote to memory of 1692	944	AppLaunch.exe	88
PID 1692 wrote to memory of 412	1692	p5zl9bq82kjf7.exe	90
PID 1692 wrote to memory of 412	1692	p5zl9bq82kjf7.exe	90
PID 1692 wrote to memory of 412	1692	p5zl9bq82kjf7.exe	90
PID 1692 wrote to memory of 412	1692	p5zl9bq82kjf7.exe	90
PID 1692 wrote to memory of 412	1692	p5zl9bq82kjf7.exe	90
PID 944 wrote to memory of 4608	944	AppLaunch.exe	95
PID 944 wrote to memory of 4608	944	AppLaunch.exe	95
PID 944 wrote to memory of 4608	944	AppLaunch.exe	95
PID 944 wrote to memory of 3700	944	AppLaunch.exe	97
PID 944 wrote to memory of 3700	944	AppLaunch.exe	97
PID 944 wrote to memory of 3700	944	AppLaunch.exe	97
PID 3700 wrote to memory of 8860	3700	ClipperDoej4oa.exe	104
PID 3700 wrote to memory of 8860	3700	ClipperDoej4oa.exe	104
PID 3700 wrote to memory of 8860	3700	ClipperDoej4oa.exe	104

C:\Users\Admin\AppData\Local\Temp\507a16cb87079ba90a8efe3a6baaa026.exe
"C:\Users\Admin\AppData\Local\Temp\507a16cb87079ba90a8efe3a6baaa026.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe
    "C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 148
      4⤵
      Program crash
      PID:2220
- - C:\Users\Admin\AppData\Local\Temp\Upshot_ox64.exe
    "C:\Users\Admin\AppData\Local\Temp\Upshot_ox64.exe"
    3⤵
    - Executes dropped EXE
    PID:4608
- - C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe
    "C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:8860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 324
  2⤵
  - Program crash
  PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4996 -ip 4996
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1692 -ip 1692
1⤵
PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upshot_ox64.exe

Filesize
6.5MB

MD5
583336f1531f78ffc2cc8ef84da256e1

SHA1
a4cb0c4123c5bb8abd45d8d320c44782d4de3e33

SHA256
0218aabfe9a1a51116ff85ce7bbba907ded9ca015d23fe2e8e494d695ab9f411

SHA512
f1daa8357a6995fe5be8394d54350df4be9494319261fbb80bd812e9b2c9cecf4c3810d29f872a2f37bd186c2574526155dfd3ea75f5499a03ed8e9df37524e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upshot_ox64.exe

Filesize
6.5MB

MD5
583336f1531f78ffc2cc8ef84da256e1

SHA1
a4cb0c4123c5bb8abd45d8d320c44782d4de3e33

SHA256
0218aabfe9a1a51116ff85ce7bbba907ded9ca015d23fe2e8e494d695ab9f411

SHA512
f1daa8357a6995fe5be8394d54350df4be9494319261fbb80bd812e9b2c9cecf4c3810d29f872a2f37bd186c2574526155dfd3ea75f5499a03ed8e9df37524e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upshot_ox64.exe

Filesize
6.5MB

MD5
583336f1531f78ffc2cc8ef84da256e1

SHA1
a4cb0c4123c5bb8abd45d8d320c44782d4de3e33

SHA256
0218aabfe9a1a51116ff85ce7bbba907ded9ca015d23fe2e8e494d695ab9f411

SHA512
f1daa8357a6995fe5be8394d54350df4be9494319261fbb80bd812e9b2c9cecf4c3810d29f872a2f37bd186c2574526155dfd3ea75f5499a03ed8e9df37524e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe

Filesize
3.2MB

MD5
84295eb36c470252f0e2b2d903ce37ce

SHA1
db8ccaa50c176c4743ca0f9faccd5f313bf7c0fd

SHA256
a2d0f996c8f20680f98b2bc484de4a84502ed563a1268502b2164aea5a112939

SHA512
6672a7837688703eea60963374dc29488c2a16fde40efb3ef39d6834f52a26eb9ea9f5128f6d58f36b82f59f27fc4532398d1719330fe7d2ab30c87c21423efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe

Filesize
3.2MB

MD5
84295eb36c470252f0e2b2d903ce37ce

SHA1
db8ccaa50c176c4743ca0f9faccd5f313bf7c0fd

SHA256
a2d0f996c8f20680f98b2bc484de4a84502ed563a1268502b2164aea5a112939

SHA512
6672a7837688703eea60963374dc29488c2a16fde40efb3ef39d6834f52a26eb9ea9f5128f6d58f36b82f59f27fc4532398d1719330fe7d2ab30c87c21423efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe

Filesize
3.2MB

MD5
84295eb36c470252f0e2b2d903ce37ce

SHA1
db8ccaa50c176c4743ca0f9faccd5f313bf7c0fd

SHA256
a2d0f996c8f20680f98b2bc484de4a84502ed563a1268502b2164aea5a112939

SHA512
6672a7837688703eea60963374dc29488c2a16fde40efb3ef39d6834f52a26eb9ea9f5128f6d58f36b82f59f27fc4532398d1719330fe7d2ab30c87c21423efb

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
228.6MB

MD5
515e7633d5c59aaf5d4e088be0c56b7f

SHA1
13658316a19b05d0a1f28f7ae75dd342d0aa0963

SHA256
31c9a5c7ed52d2a0a597c8967bf5d97d621a5fe6bf07ba80e17265cb71003b7f

SHA512
ce8dbc64ba36701eda0ac0dcccb808e60884b8fdbd1200fefbea6c1e5fb858e0e079fe4742f074b49cdfa7f846fc94783a6f2b5dbaa3474ea40cb17ebd603fcb

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
231.8MB

MD5
ac99e3f1c992da9d3f9d8ac00244d929

SHA1
aa14c55e57032e33783108d5b7bfc13113ed12c3

SHA256
15a5d558f55d100fd9f5b413310a9dff6f4db00ac614594320e6e6e11a157b34

SHA512
d7583dcbc3575ceb3fc95bf3769db542588bb3b20b3d78f44a981390789a0172b0c51a35acbf22359fac5577a8f7321d799d538398f8b2bf04af6a230b4bdb9c

Download Submit
memory/412-182-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/412-159-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/412-180-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/412-179-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/412-178-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/944-146-0x000000000B560000-0x000000000B5C6000-memory.dmp

Filesize
408KB

Download
memory/944-144-0x000000000A650000-0x000000000A6E2000-memory.dmp

Filesize
584KB

Download
memory/944-147-0x000000000CD90000-0x000000000CF52000-memory.dmp

Filesize
1.8MB

Download
memory/944-148-0x000000000D490000-0x000000000D9BC000-memory.dmp

Filesize
5.2MB

Download
memory/944-150-0x000000000C010000-0x000000000C060000-memory.dmp

Filesize
320KB

Download
memory/944-133-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/944-145-0x000000000BA60000-0x000000000C004000-memory.dmp

Filesize
5.6MB

Download
memory/944-149-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/944-143-0x000000000A530000-0x000000000A5A6000-memory.dmp

Filesize
472KB

Download
memory/944-138-0x000000000A850000-0x000000000AE68000-memory.dmp

Filesize
6.1MB

Download
memory/944-142-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/944-141-0x000000000A230000-0x000000000A26C000-memory.dmp

Filesize
240KB

Download
memory/944-140-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/944-139-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/4608-720-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download