Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    292s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20/06/2023, 04:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe

  • Size

    4.0MB

  • MD5

    d076c4b5f5c42b44d583c534f78adbe7

  • SHA1

    c35478e67d490145520be73277cd72cd4e837090

  • SHA256

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

  • SHA512

    b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

  • SSDEEP

    49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe
    "C:\Users\Admin\AppData\Local\Temp\2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:2412

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    853.0MB

    MD5

    878f00cb02c7af6b5f762b531750a9b6

    SHA1

    72c6805778c6ea6c6083f158f8e5b7b266d46007

    SHA256

    02305ad2ea10d46d52e683be3a1154a222b2ebdeda633577f7a3f008584305b0

    SHA512

    f1b121f238caf3192e65c71740ce59dbe4dfb52366125e8d4de997c140ac4e2ba073bbead2a37a092c9ab7d9d153395e653379fc30c4bdd9c5cc4888be8b4d3f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    853.0MB

    MD5

    878f00cb02c7af6b5f762b531750a9b6

    SHA1

    72c6805778c6ea6c6083f158f8e5b7b266d46007

    SHA256

    02305ad2ea10d46d52e683be3a1154a222b2ebdeda633577f7a3f008584305b0

    SHA512

    f1b121f238caf3192e65c71740ce59dbe4dfb52366125e8d4de997c140ac4e2ba073bbead2a37a092c9ab7d9d153395e653379fc30c4bdd9c5cc4888be8b4d3f

    Download Submit