Overview

overview

10

Static

static

3

conhost.exe

windows7-x64

10

conhost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2023 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    conhost.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1448

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    74.1MB

    MD5

    81e830daa89da11338d27931859d7f80

    SHA1

    8b60aca7d9b1f65c096d40dc65664265d222efd1

    SHA256

    6e7eaa69653806d31d9172f7c52bfe870fc104e70a52ab716d05ae82514700f4

    SHA512

    25dceefcde0200f8e0714c99b6d59b99cce3d39edbef0ea5861815155e460da0ee6d4fa58f6229ec2f60bad319223b0f72452026fba0c9b3862ddce656c09e78

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    74.0MB

    MD5

    4caa3631eb810d3f166b256cff1e404b

    SHA1

    44853a9cd8f8e5938b19226f900a25d52e684bed

    SHA256

    603697df6b213afaa246b2465f91ac84bb0d9fd3b5f9acdd7b5473f79fcb8936

    SHA512

    2b342fb79b964f3b06c6af89f41bf0286549becebb0c9fe03844158296ee4a9f7e03d67f990ddacde3c3b801888c520408ec298e700fa51884e2b71e1dd68b00

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    74.9MB

    MD5

    8ccdcb5961c4afcd5a2dad8b318fbbee

    SHA1

    067350f0181f76b3c71338cb5babb7062bd0112b

    SHA256

    73d885441f5d5815231f3c2ca44a8d9058abd3e41cde8395f55a7a77da8bc908

    SHA512

    cec028a4afc923bdfc90661a2003fe84fa9efad10f84ad37cbdbad99659fa1fa96dd1edac11c14ad98b22dd85ec8fc6bfed8d3bdf05267a273ae1d0e48e3dbd2

    Download Submit