Malware Analysis Report

2024-10-23 15:42

Sample ID 230723-vwzghsfc77
Target 68732e21f497396296e93fb7277add61.bin.exe
SHA256 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e
Tags
laplas clipper stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e

Threat Level: Known bad

The file 68732e21f497396296e93fb7277add61.bin.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper stealer persistence

Laplas Clipper

Executes dropped EXE

Adds Run key to start application

Unsigned PE

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-23 17:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-23 17:21

Reported

2023-07-23 17:23

Platform

win7-20230712-en

Max time kernel

1s

Max time network

2s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68732e21f497396296e93fb7277add61.bin.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Processes

C:\Users\Admin\AppData\Local\Temp\68732e21f497396296e93fb7277add61.bin.exe

"C:\Users\Admin\AppData\Local\Temp\68732e21f497396296e93fb7277add61.bin.exe"

Network

N/A

Files

memory/1368-53-0x0000000003FA0000-0x000000000414A000-memory.dmp

memory/1368-54-0x0000000003FA0000-0x000000000414A000-memory.dmp

memory/1368-55-0x0000000004150000-0x0000000004520000-memory.dmp

memory/1368-56-0x0000000000400000-0x0000000002606000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-23 17:21

Reported

2023-07-23 17:23

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68732e21f497396296e93fb7277add61.bin.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\68732e21f497396296e93fb7277add61.bin.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68732e21f497396296e93fb7277add61.bin.exe

"C:\Users\Admin\AppData\Local\Temp\68732e21f497396296e93fb7277add61.bin.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 clipper.guru udp
NL 185.209.161.61:80 clipper.guru tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 61.161.209.185.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/3588-134-0x0000000004370000-0x0000000004521000-memory.dmp

memory/3588-135-0x0000000004530000-0x0000000004900000-memory.dmp

memory/3588-136-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3588-138-0x0000000004370000-0x0000000004521000-memory.dmp

memory/3588-139-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3588-140-0x0000000004530000-0x0000000004900000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 96f7317988d038b2f2c8862a3f05fc04
SHA1 4c675e9a5b00846e2435c8ee7f61f092f100dd9d
SHA256 e071a7b1e8015b55ef688382a7f8b418923a88a0a04799bbdbb2bd8902ccf9b9
SHA512 841f2b5b8f1e4c977608207b2b75829ca95f450024e25f2cd1b3152cfe4cd0e88e46e65511dd3a40b31124742969c8125843955e78505eb786250da20c08d3ba

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 96f7317988d038b2f2c8862a3f05fc04
SHA1 4c675e9a5b00846e2435c8ee7f61f092f100dd9d
SHA256 e071a7b1e8015b55ef688382a7f8b418923a88a0a04799bbdbb2bd8902ccf9b9
SHA512 841f2b5b8f1e4c977608207b2b75829ca95f450024e25f2cd1b3152cfe4cd0e88e46e65511dd3a40b31124742969c8125843955e78505eb786250da20c08d3ba

memory/3588-144-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-146-0x0000000004370000-0x000000000451D000-memory.dmp

memory/3268-147-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-148-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-149-0x0000000004370000-0x000000000451D000-memory.dmp

memory/3268-150-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-152-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-153-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-154-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-155-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-156-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-157-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-158-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-159-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-160-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-161-0x0000000000400000-0x0000000002606000-memory.dmp

memory/3268-162-0x0000000000400000-0x0000000002606000-memory.dmp