laplas | 1d38b7669f2dcddcf429fef7dc3e37f613caffb8794f1b923b753ac6a38e4094

Analysis

max time kernel
136s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/06/2023, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8.exe
Size

254KB
MD5

2610a0ddbea9da2319bda1005b9c26c9
SHA1

bd0abf0e85dbb443790134d31f82f7bb287c8120
SHA256

1d38b7669f2dcddcf429fef7dc3e37f613caffb8794f1b923b753ac6a38e4094
SHA512

307b95c9091a9181aca5cbddbf5c00ca78c7c16e8e85741952d352d415be482f144bbe2e48af384d39c0f414cde3dd21a6f3697bf8bcb23687511540046f77a3
SSDEEP

3072:YlRbncDRcLjlRbHrvUgxLx4kgKPsbGgOOZrce/a0G0zWgAiJQS2kOuZmVeDkgPxe:GBnyGlRkgxLxYT1dcktG03QS2mEVeQn

Score

10^/10

laplas lobshot redline @ididjsjsid backdoor clipper discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@ididjsjsid

94.142.138.4:80

Attributes

auth_value
ff1308093e68aa6b7353aa8595fa3e75

Extracted

Family

laplas

http://185.223.93.251

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

Detects Lobshot family 7 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012329-75.dat	family_lobshot
behavioral1/files/0x0009000000012329-71.dat	family_lobshot
behavioral1/files/0x0009000000012329-76.dat	family_lobshot
behavioral1/files/0x00070000000126bf-77.dat	family_lobshot
behavioral1/files/0x00070000000126bf-81.dat	family_lobshot
behavioral1/files/0x00070000000126bf-80.dat	family_lobshot
behavioral1/files/0x00070000000126bf-79.dat	family_lobshot

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1624	conhost.exe
948	svchost.exe
1436	service.exe
316	ntlhost.exe

Loads dropped DLL 6 IoCs

pid	Process
1324	f8.exe
1324	f8.exe
1324	f8.exe
1096	cmd.exe
1624	conhost.exe
1624	conhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\ProgramData\\service.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	conhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	10	Go-http-client/1.1

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
944	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1324	f8.exe
1324	f8.exe
948	svchost.exe
1436	service.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	f8.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1624	1324	f8.exe	29
PID 1324 wrote to memory of 1624	1324	f8.exe	29
PID 1324 wrote to memory of 1624	1324	f8.exe	29
PID 1324 wrote to memory of 1624	1324	f8.exe	29
PID 1324 wrote to memory of 948	1324	f8.exe	30
PID 1324 wrote to memory of 948	1324	f8.exe	30
PID 1324 wrote to memory of 948	1324	f8.exe	30
PID 1324 wrote to memory of 948	1324	f8.exe	30
PID 948 wrote to memory of 1096	948	svchost.exe	31
PID 948 wrote to memory of 1096	948	svchost.exe	31
PID 948 wrote to memory of 1096	948	svchost.exe	31
PID 948 wrote to memory of 1096	948	svchost.exe	31
PID 1096 wrote to memory of 944	1096	cmd.exe	33
PID 1096 wrote to memory of 944	1096	cmd.exe	33
PID 1096 wrote to memory of 944	1096	cmd.exe	33
PID 1096 wrote to memory of 944	1096	cmd.exe	33
PID 1096 wrote to memory of 1436	1096	cmd.exe	34
PID 1096 wrote to memory of 1436	1096	cmd.exe	34
PID 1096 wrote to memory of 1436	1096	cmd.exe	34
PID 1096 wrote to memory of 1436	1096	cmd.exe	34
PID 1624 wrote to memory of 316	1624	conhost.exe	35
PID 1624 wrote to memory of 316	1624	conhost.exe	35
PID 1624 wrote to memory of 316	1624	conhost.exe	35

C:\Users\Admin\AppData\Local\Temp\f8.exe
"C:\Users\Admin\AppData\Local\Temp\f8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Executes dropped EXE
    PID:316
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\svchost.exe") & (start "" "C:\ProgramData\service.exe")
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:944
  - - C:\ProgramData\service.exe
      "C:\ProgramData\service.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
468.6MB

MD5
3db5252844be6a5bdc31f24a6eb7f694

SHA1
ff37f48522e3123aaa801c4be49b9393b2f711f5

SHA256
1e4346d506b49d8fed905fc36e772f8df61e6fd1709ab8b18c6923df66a402cb

SHA512
24d722b002e65d0fa5bf9201b6bc2158c1933fb42cd5cab35dd43e08ffae14fdc0bb1981e3ca08171977e2a85724d8b35834a430bbe288533584eb8489f5719c

Download Submit
\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
545.8MB

MD5
1650be22207c5c52e4dfce273050ac23

SHA1
b57a978ed27e1fa37338aa116c8ed2f43c1a9392

SHA256
32981c30b98012048405c8ac5f4c18d71b9986c968c94cd5cc6ac20931e49ff1

SHA512
ae1d6f8dd74b12d5fa785f9c5eb6442703e0222f28ad4d692dea4eb0f90c05353ff380745a8cee70c9e37e8df1e8207a9c4273ee9a0ec762ccb3cd86460b4d8b

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
493.2MB

MD5
0fafcafc7a05a10e12870dd5ee932a0d

SHA1
d83175e8edeaa74582046b054c9dbf9ecb7d9413

SHA256
e6a6a2922309e39310049a246c9dcb2208da650d5afb67156ed7bdf72fd9ca11

SHA512
b35ed1a21ba0d6e00cb878d7b7b573ac6281ffc5d6bacf988d8a251fe0e1d323cf70b52d2dcd4a7307f3cfb2217f0c86ba2243a67c754752cb08506b4870d32b

Download Submit
memory/1324-54-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1324-60-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download
memory/1324-59-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download
memory/1324-58-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download