laplas | 02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9

Analysis

max time kernel
144s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2023 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

575KB
MD5

7e1c47ca9cef11631ddd096c1d3639c7
SHA1

4e8d9b1efb8b4b7b316e5a7fd3fb808e2da759a8
SHA256

02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9
SHA512

fa029905bf1921ab433f949167e64874e5da3e98908da38c92ae8e4db987a6ab786f68942993e34c92f713d7bf701e4d066da9abde7b88b6ff018663ba79490a
SSDEEP

6144:qTov37S4OHn8MDIYKReFMjkyI/VYXVhUYbjDyVlQBCVTI:qcv37SajRVjziVq3gVlsCVT

Score

10^/10

laplas redline 2 clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

95.216.249.153:81

Attributes

auth_value
101013a5e99e0857595aae297a11351d

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2092	p5zl9bq82kjf7.exe
892	ClipperDoej4oa.exe
4372	Upshotox64.exe
3848	ntlhost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	ClipperDoej4oa.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe'\""	AppLaunch.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1860 set thread context of 3572	1860	file.exe	87
PID 2092 set thread context of 2296	2092	p5zl9bq82kjf7.exe	99
PID 4372 set thread context of 816	4372	Upshotox64.exe	106

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2420	1860	WerFault.exe	85
2676	2092	WerFault.exe	94
3836	4372	WerFault.exe	104

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	38	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3572	AppLaunch.exe
3572	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 3572	1860	file.exe	87
PID 1860 wrote to memory of 3572	1860	file.exe	87
PID 1860 wrote to memory of 3572	1860	file.exe	87
PID 1860 wrote to memory of 3572	1860	file.exe	87
PID 1860 wrote to memory of 3572	1860	file.exe	87
PID 3572 wrote to memory of 2092	3572	AppLaunch.exe	94
PID 3572 wrote to memory of 2092	3572	AppLaunch.exe	94
PID 3572 wrote to memory of 2092	3572	AppLaunch.exe	94
PID 2092 wrote to memory of 2884	2092	p5zl9bq82kjf7.exe	98
PID 2092 wrote to memory of 2884	2092	p5zl9bq82kjf7.exe	98
PID 2092 wrote to memory of 2884	2092	p5zl9bq82kjf7.exe	98
PID 2092 wrote to memory of 3144	2092	p5zl9bq82kjf7.exe	100
PID 2092 wrote to memory of 3144	2092	p5zl9bq82kjf7.exe	100
PID 2092 wrote to memory of 3144	2092	p5zl9bq82kjf7.exe	100
PID 2092 wrote to memory of 2296	2092	p5zl9bq82kjf7.exe	99
PID 2092 wrote to memory of 2296	2092	p5zl9bq82kjf7.exe	99
PID 2092 wrote to memory of 2296	2092	p5zl9bq82kjf7.exe	99
PID 2092 wrote to memory of 2296	2092	p5zl9bq82kjf7.exe	99
PID 2092 wrote to memory of 2296	2092	p5zl9bq82kjf7.exe	99
PID 3572 wrote to memory of 892	3572	AppLaunch.exe	103
PID 3572 wrote to memory of 892	3572	AppLaunch.exe	103
PID 3572 wrote to memory of 892	3572	AppLaunch.exe	103
PID 3572 wrote to memory of 4372	3572	AppLaunch.exe	104
PID 3572 wrote to memory of 4372	3572	AppLaunch.exe	104
PID 3572 wrote to memory of 4372	3572	AppLaunch.exe	104
PID 4372 wrote to memory of 816	4372	Upshotox64.exe	106
PID 4372 wrote to memory of 816	4372	Upshotox64.exe	106
PID 4372 wrote to memory of 816	4372	Upshotox64.exe	106
PID 4372 wrote to memory of 816	4372	Upshotox64.exe	106
PID 4372 wrote to memory of 816	4372	Upshotox64.exe	106
PID 892 wrote to memory of 3848	892	ClipperDoej4oa.exe	109
PID 892 wrote to memory of 3848	892	ClipperDoej4oa.exe	109
PID 892 wrote to memory of 3848	892	ClipperDoej4oa.exe	109

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe
    "C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 284
      4⤵
      Program crash
      PID:2676
- - C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe
    "C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:3848
- - C:\Users\Admin\AppData\Local\Temp\Upshotox64.exe
    "C:\Users\Admin\AppData\Local\Temp\Upshotox64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Adds Run key to start application
      PID:816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 308
      4⤵
      Program crash
      PID:3836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 312
  2⤵
  - Program crash
  PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2092 -ip 2092
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4372 -ip 4372
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClipperDoej4oa.exe

Filesize
3.8MB

MD5
68be007bd3fa09d26fcee584a9157770

SHA1
6f191c0587c8055f26367f25ce0f7787ca272714

SHA256
71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

SHA512
f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upshotox64.exe

Filesize
412KB

MD5
42851869d2ed62806999dd416ff9f45b

SHA1
46333b2f7ddf326a774b43ea2d66ed681486fd34

SHA256
a6734f7888870bb71002eb528eb1b175b6bcaaf77d216dddd54b13ca967bdfb6

SHA512
43e563a64ef0e85c21bb491666f0ef97392563d40bb3f570c08a3d79affc202ff2b2dd58e5288a80a3e558e711e875d8232d9c0732bdfeb216c49cfc16be0a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upshotox64.exe

Filesize
412KB

MD5
42851869d2ed62806999dd416ff9f45b

SHA1
46333b2f7ddf326a774b43ea2d66ed681486fd34

SHA256
a6734f7888870bb71002eb528eb1b175b6bcaaf77d216dddd54b13ca967bdfb6

SHA512
43e563a64ef0e85c21bb491666f0ef97392563d40bb3f570c08a3d79affc202ff2b2dd58e5288a80a3e558e711e875d8232d9c0732bdfeb216c49cfc16be0a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upshotox64.exe

Filesize
412KB

MD5
42851869d2ed62806999dd416ff9f45b

SHA1
46333b2f7ddf326a774b43ea2d66ed681486fd34

SHA256
a6734f7888870bb71002eb528eb1b175b6bcaaf77d216dddd54b13ca967bdfb6

SHA512
43e563a64ef0e85c21bb491666f0ef97392563d40bb3f570c08a3d79affc202ff2b2dd58e5288a80a3e558e711e875d8232d9c0732bdfeb216c49cfc16be0a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe

Filesize
2.9MB

MD5
73e4eccfbd36690b22434b8edaeab4bf

SHA1
dd7f7c0577149ddc9302998c00ac9846498c973b

SHA256
ef543bf69789486fc724e0c42f2a09a0318af27f6a3bb1889bf7db6d89fd1b9a

SHA512
a5fef4cfdf400e953eab0604e41de44d0b8f9cd4f1b89401cbab77f5e0c8bcb5c41538d0772492065d59b6f24d54fee21e669aa34931c26fa4ae0aeed27df127

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe

Filesize
2.9MB

MD5
73e4eccfbd36690b22434b8edaeab4bf

SHA1
dd7f7c0577149ddc9302998c00ac9846498c973b

SHA256
ef543bf69789486fc724e0c42f2a09a0318af27f6a3bb1889bf7db6d89fd1b9a

SHA512
a5fef4cfdf400e953eab0604e41de44d0b8f9cd4f1b89401cbab77f5e0c8bcb5c41538d0772492065d59b6f24d54fee21e669aa34931c26fa4ae0aeed27df127

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5zl9bq82kjf7.exe

Filesize
2.9MB

MD5
73e4eccfbd36690b22434b8edaeab4bf

SHA1
dd7f7c0577149ddc9302998c00ac9846498c973b

SHA256
ef543bf69789486fc724e0c42f2a09a0318af27f6a3bb1889bf7db6d89fd1b9a

SHA512
a5fef4cfdf400e953eab0604e41de44d0b8f9cd4f1b89401cbab77f5e0c8bcb5c41538d0772492065d59b6f24d54fee21e669aa34931c26fa4ae0aeed27df127

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
724.8MB

MD5
e780f7171e7bf7c26c94ba0ca7bf1db5

SHA1
7711cd77a624a458b0c2c742a1daa44176fd49c0

SHA256
25e155f0309323644a02913d348196830c5eac418cde9635d63b7b13c6c92e85

SHA512
8daf5c6156073225229e1a05bc2c4484b2adf71fd925323957a3d3d63744cc4af2315d88c81c63c1bc22d3115bdb8b10cf79a84cbf5c89cb19b412d7644ef321

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
724.8MB

MD5
e780f7171e7bf7c26c94ba0ca7bf1db5

SHA1
7711cd77a624a458b0c2c742a1daa44176fd49c0

SHA256
25e155f0309323644a02913d348196830c5eac418cde9635d63b7b13c6c92e85

SHA512
8daf5c6156073225229e1a05bc2c4484b2adf71fd925323957a3d3d63744cc4af2315d88c81c63c1bc22d3115bdb8b10cf79a84cbf5c89cb19b412d7644ef321

Download Submit
memory/816-200-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/816-199-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/816-193-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2296-159-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3572-149-0x0000000007C90000-0x00000000081BC000-memory.dmp

Filesize
5.2MB

Download
memory/3572-139-0x00000000054F0000-0x00000000055FA000-memory.dmp

Filesize
1.0MB

Download
memory/3572-150-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/3572-143-0x0000000005780000-0x00000000057F6000-memory.dmp

Filesize
472KB

Download
memory/3572-142-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/3572-141-0x0000000005470000-0x00000000054AC000-memory.dmp

Filesize
240KB

Download
memory/3572-140-0x0000000005410000-0x0000000005422000-memory.dmp

Filesize
72KB

Download
memory/3572-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3572-138-0x0000000005A00000-0x0000000006018000-memory.dmp

Filesize
6.1MB

Download
memory/3572-144-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/3572-148-0x0000000006FA0000-0x0000000007162000-memory.dmp

Filesize
1.8MB

Download
memory/3572-147-0x0000000006D80000-0x0000000006DD0000-memory.dmp

Filesize
320KB

Download
memory/3572-146-0x0000000006A50000-0x0000000006AB6000-memory.dmp

Filesize
408KB

Download
memory/3572-145-0x0000000008760000-0x0000000008D04000-memory.dmp

Filesize
5.6MB

Download