Overview

overview

10

Static

static

3

08732699.exe

windows7-x64

10

08732699.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    23/06/2023, 07:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    08732699.exe

  • Size

    4.0MB

  • MD5

    d076c4b5f5c42b44d583c534f78adbe7

  • SHA1

    c35478e67d490145520be73277cd72cd4e837090

  • SHA256

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

  • SHA512

    b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

  • SSDEEP

    49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08732699.exe
    "C:\Users\Admin\AppData\Local\Temp\08732699.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1284

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          Filesize

          660.6MB

          MD5

          db538511d2f5c4f73b1880699b43f713

          SHA1

          16ceae602ecff67bb23d4b094bf14819b9575cc4

          SHA256

          d4277e800baf7a3f2b823e9b340e23fd8c575edcf5cb7bb36024d8f642034482

          SHA512

          7262aaf007e55e3c86fce2c3eb38c8ffb09fe622da1000144cd9aed8e4636d03fa270cfb9e345b90f920a95923f6365e3e56d8e97b87a8b24d0b117b9cb39e65

          Download Submit

        • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          Filesize

          682.9MB

          MD5

          927b596e89af77d91b435fa10bc60bb6

          SHA1

          18fc323a054b4171f0cd2931cdc644de2bcb26ff

          SHA256

          b698f01f026ea7427b075d06f1875fefe647d06406fb86732a799d7a76ab2cd6

          SHA512

          3a2910a594a1cf5cbf5d1fef09e9d14d92b64dea795e563b1379146cf1109ffc857a66cab49b73026d4c2a415f7746617b8ba57e263e1ad6cd1942d52c283116

          Download Submit

        • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          Filesize

          693.9MB

          MD5

          7445dd75574c3a994286ad1c550babc1

          SHA1

          69f63348296ec330dc8612922fd3c40ba6f2de8f

          SHA256

          4070e022afdffe50146c7fa440710b1c804396ea8ab86d93957c4826f4b6c09e

          SHA512

          778e0f0ba5f4daebe37031cdc3effc5dd8776915f33ea852e757e7941f7df85ff24f97d42c8e9a31c5d6f16d95e7c2a69dcbe4d545248e57109a655ac067340e

          Download Submit