laplas | 1d38b7669f2dcddcf429fef7dc3e37f613caffb8794f1b923b753ac6a38e4094

Analysis

max time kernel
139s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-06-2023 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8.exe
Size

254KB
MD5

2610a0ddbea9da2319bda1005b9c26c9
SHA1

bd0abf0e85dbb443790134d31f82f7bb287c8120
SHA256

1d38b7669f2dcddcf429fef7dc3e37f613caffb8794f1b923b753ac6a38e4094
SHA512

307b95c9091a9181aca5cbddbf5c00ca78c7c16e8e85741952d352d415be482f144bbe2e48af384d39c0f414cde3dd21a6f3697bf8bcb23687511540046f77a3
SSDEEP

3072:YlRbncDRcLjlRbHrvUgxLx4kgKPsbGgOOZrce/a0G0zWgAiJQS2kOuZmVeDkgPxe:GBnyGlRkgxLxYT1dcktG03QS2mEVeQn

Score

10^/10

laplas lobshot redline @ididjsjsid backdoor clipper discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@ididjsjsid

94.142.138.4:80

Attributes

auth_value
ff1308093e68aa6b7353aa8595fa3e75

Extracted

Family

laplas

http://185.223.93.251

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

Detects Lobshot family 7 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122f6-71.dat	family_lobshot
behavioral1/files/0x00090000000122f6-75.dat	family_lobshot
behavioral1/files/0x00090000000122f6-76.dat	family_lobshot
behavioral1/files/0x00080000000122fc-77.dat	family_lobshot
behavioral1/files/0x00080000000122fc-88.dat	family_lobshot
behavioral1/files/0x00080000000122fc-87.dat	family_lobshot
behavioral1/files/0x00080000000122fc-86.dat	family_lobshot

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1788	conhost.exe
1980	svchost.exe
1768	ntlhost.exe
1716	service.exe

Loads dropped DLL 6 IoCs

pid	Process
336	f8.exe
336	f8.exe
336	f8.exe
1788	conhost.exe
1788	conhost.exe
1256	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\ProgramData\\service.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	conhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
304	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
336	f8.exe
336	f8.exe
1980	svchost.exe
1716	service.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	f8.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 1788	336	f8.exe	30
PID 336 wrote to memory of 1788	336	f8.exe	30
PID 336 wrote to memory of 1788	336	f8.exe	30
PID 336 wrote to memory of 1788	336	f8.exe	30
PID 336 wrote to memory of 1980	336	f8.exe	31
PID 336 wrote to memory of 1980	336	f8.exe	31
PID 336 wrote to memory of 1980	336	f8.exe	31
PID 336 wrote to memory of 1980	336	f8.exe	31
PID 1980 wrote to memory of 1256	1980	svchost.exe	32
PID 1980 wrote to memory of 1256	1980	svchost.exe	32
PID 1980 wrote to memory of 1256	1980	svchost.exe	32
PID 1980 wrote to memory of 1256	1980	svchost.exe	32
PID 1256 wrote to memory of 304	1256	cmd.exe	34
PID 1256 wrote to memory of 304	1256	cmd.exe	34
PID 1256 wrote to memory of 304	1256	cmd.exe	34
PID 1256 wrote to memory of 304	1256	cmd.exe	34
PID 1788 wrote to memory of 1768	1788	conhost.exe	35
PID 1788 wrote to memory of 1768	1788	conhost.exe	35
PID 1788 wrote to memory of 1768	1788	conhost.exe	35
PID 1256 wrote to memory of 1716	1256	cmd.exe	36
PID 1256 wrote to memory of 1716	1256	cmd.exe	36
PID 1256 wrote to memory of 1716	1256	cmd.exe	36
PID 1256 wrote to memory of 1716	1256	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\f8.exe
"C:\Users\Admin\AppData\Local\Temp\f8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Executes dropped EXE
    PID:1768
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\svchost.exe") & (start "" "C:\ProgramData\service.exe")
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:304
  - - C:\ProgramData\service.exe
      "C:\ProgramData\service.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
649.4MB

MD5
946ee617024587c72631869ea745ffc6

SHA1
36df2e1e6635592794c6ebf7445d4d40f91c2e08

SHA256
73a222a9ecea06acc5d8dcd7bcd6635518281b3b1f85a99d85e95cb42c2e1ac7

SHA512
55f05e8cd4b0b083a8989c2df872f133cf64ac3dc2ac2922c93e99fb673e32e060ea0875473a17090dfb56e23800c0457d74a7f86983afc5e67848f34f637d34

Download Submit
\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
601.9MB

MD5
d61573e3dc70c656ca1f6e8f8000414b

SHA1
f3a2093fc88bd1695b134de6ef7be89f6a15f08b

SHA256
64bde79d2dff445bf96b9c0b59a1c89d2013d761a6d5150da9b556779caebf53

SHA512
52caa6968292535ce4498854c7d451b6d4fcbcc4e035c482bc0465eb473a64c930e709d3813461dbb763c694b2477a53069b7a20ca49f0f4392998602277cc64

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
385.6MB

MD5
e7723836205d16eeb07f6ef96546b95a

SHA1
d3605fff43ab5dbb2d8a1c7945b70deee18b834c

SHA256
aa193ab4c1d576f822e76a77407b8edb3d37b50a731ba6e60bbba8e129cdfaf6

SHA512
b1215dcb0baa23e93267fcfb4f3f93bfc9a85f0a30e6306a3f08b0c8fb37be1fd0a6401f670a06f7868a76006a8eaee3e2ffcefcef3e5cf10f5b21b2c3cde572

Download Submit
memory/336-54-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/336-60-0x0000000002270000-0x00000000022B0000-memory.dmp

Filesize
256KB

Download
memory/336-59-0x0000000002270000-0x00000000022B0000-memory.dmp

Filesize
256KB

Download
memory/336-58-0x0000000000850000-0x0000000000856000-memory.dmp

Filesize
24KB

Download