Overview

overview

10

Static

static

3

2c63c61e0a...11.exe

windows7-x64

10

2c63c61e0a...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2023 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611.exe

  • Size

    4.0MB

  • MD5

    d076c4b5f5c42b44d583c534f78adbe7

  • SHA1

    c35478e67d490145520be73277cd72cd4e837090

  • SHA256

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

  • SHA512

    b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

  • SSDEEP

    49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c63c61e0adaaf669c9c674edfc9081d415c05b834611.exe
    "C:\Users\Admin\AppData\Local\Temp\2c63c61e0adaaf669c9c674edfc9081d415c05b834611.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1192

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    792.0MB

    MD5

    970fab328841d6a43b971a00c9029e50

    SHA1

    20fd6d644074e64ed727e7f803cb025ead0acc7e

    SHA256

    ef2cd9e7e10ee7eec5a81b242d6aa02b09117eabbb1d260d2d7311b5cad05a3e

    SHA512

    14633b5e5d6454d5a31aa2d970d770242edcdb82204d5b6de2d69a9882a0289c4ac100af88bae6f68aae6cb351c70295937e0d17fb8c118c197b61d8c26d02f7

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    583.6MB

    MD5

    46d0b59153729700695902a911010f72

    SHA1

    e3c08d8ec17b39b31a4137f8baf59a69d214e83a

    SHA256

    632fc743da6ef85ea66f0c2fd06fd600e9b6a08e983e1fde92827e1c50279841

    SHA512

    52979a916e7b85fe383f3b838bd86cc521fdc981e2dad80e5fdfdb6d66a1b52a48924063492df5c703edf01ea90edffbcf0203d6ab7db437ee8a4af2ca49c1e6

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    602.4MB

    MD5

    c83ed59525db07725eba141273c511ef

    SHA1

    942491841b6eee4b13af58a2dc51c1620575bf77

    SHA256

    30b177cc3b17b44cc54b6adc0be2b31dfe998b5fc5d5b3e5c8767fab47a967a6

    SHA512

    b5894d4fee61ed0d4a8ede18a512e2cb0ca16fa1e94fd37f641f00453b6092b9ab90b5708417c26195aa029c558ca29aa39f735a30f93b17efd9b98895a6231e

    Download Submit