Malware Analysis Report

2024-10-23 15:42

Sample ID 230724-pvmtfadb94
Target 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe
SHA256 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e
Tags
laplas clipper persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e

Threat Level: Known bad

The file 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper persistence stealer

Laplas Clipper

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-24 12:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-24 12:39

Reported

2023-07-24 12:43

Platform

win7-20230712-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe

"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 clipper.guru udp
NL 185.209.161.61:80 clipper.guru tcp

Files

memory/2072-54-0x0000000003F30000-0x00000000040DA000-memory.dmp

memory/2072-55-0x0000000003F30000-0x00000000040DA000-memory.dmp

memory/2072-56-0x00000000040E0000-0x00000000044B0000-memory.dmp

memory/2072-57-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2072-58-0x0000000003F30000-0x00000000040DA000-memory.dmp

memory/2072-59-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2072-60-0x00000000040E0000-0x00000000044B0000-memory.dmp

memory/2072-61-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2072-62-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2072-63-0x0000000000400000-0x0000000002606000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 edd171abb67d2f2273b342619239094b
SHA1 b22003bfc48254e80462e0bae26197f4eb8db4ea
SHA256 9b3ee74b3178e71a7dce918379eaa6dd4e85941a9f8716f70360b0691cd9a7a2
SHA512 26e30d90833aa7cebecea41a516eab9b738e1a8eab1fb755d2fc0b0b09489eb44d532a3c8832b22b753e156343de82a6f33ea06b0fbf9a4d85ee1a8a2e7fe809

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 72e75534ff6ca1d2024df7933e403102
SHA1 51f337cf7af4131f2fbb6149cc881b86b190affb
SHA256 9002d2920cbd8d151906a2284a81cfebc986c584a2632b381f2c2da098dea1fc
SHA512 f985873a29d653f4311904b18569db530853685f9f5470df64d0d47d891c343873d51304da205004855955dc1bd78f9fb100883a276db8aeeadb85ced6717e0b

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 5e44a9952ef73392f0d8697be0c25f59
SHA1 813fe0d8435a88c5e39d2c793494c055f65badc0
SHA256 c2fec65db394a8b947227cb9d23352cc565a7919c48ce369c0d6ad1d57bfc041
SHA512 cb762c10161d391ab0ab9ea191257e041867fdb06109169cd91ae882f9ac46ec03802dbf68ae51dad67c94561a2534f4acfeb4559f8d64de03d4f1e8c48376c0

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 e434ac15ddbfeecd035edcf066bc7ab3
SHA1 e5b015114668e1157adb5c33c5da859107ea017b
SHA256 0a2bfe6dc34886a7ef45b1bc0fba92d4211f497e7715aa8db71103a0252ee7c2
SHA512 0ee71e0f813e9eb846d6ee451907d4932267ca6830ad247ca31abb790dd0d506aeb1d89c8d832d6720ee17bf62060a96d107cb64180edf5bccef9b11f52af7c6

memory/2072-72-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-73-0x00000000040A0000-0x000000000424A000-memory.dmp

memory/2256-74-0x00000000040A0000-0x000000000424A000-memory.dmp

memory/2256-75-0x0000000004250000-0x0000000004620000-memory.dmp

memory/2256-76-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-77-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-78-0x00000000040A0000-0x000000000424A000-memory.dmp

memory/2256-79-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-80-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-81-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-82-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-83-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-84-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-87-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-88-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-89-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2256-90-0x0000000000400000-0x0000000002606000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-24 12:39

Reported

2023-07-24 12:42

Platform

win10v2004-20230703-en

Max time kernel

152s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe

"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 clipper.guru udp
NL 185.209.161.61:80 clipper.guru tcp
US 8.8.8.8:53 61.161.209.185.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/1372-134-0x0000000004440000-0x00000000045F1000-memory.dmp

memory/1372-135-0x0000000004600000-0x00000000049D0000-memory.dmp

memory/1372-136-0x0000000000400000-0x0000000002606000-memory.dmp

memory/1372-137-0x0000000000400000-0x0000000002606000-memory.dmp

memory/1372-138-0x0000000004440000-0x00000000045F1000-memory.dmp

memory/1372-139-0x0000000004600000-0x00000000049D0000-memory.dmp

memory/1372-140-0x0000000000400000-0x0000000002606000-memory.dmp

memory/1372-142-0x0000000000400000-0x0000000002606000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 5826e776a96f59f6ab7b28f326402950
SHA1 1ea23924918d15d4b5cd2c6bd6df75b3f1759fb8
SHA256 4f808c43ce2df5591c320c9b816813e2dce0660084cb335fe025f0595f67b405
SHA512 4bac3725f2fa3eb23d63867da04d252640aea06b1737b134d63267483f6b2428342ce0814a7ba0c5f4f6dc696ee0e46832db831941f4a64ad306af2ed81fb520

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 f7f951ac57531d5e6e9b87c77b14b168
SHA1 714a0d6a6ff58e4897a957d85ed0b64c200a9cdf
SHA256 052108d6c322aa506f17938d15759873404ecada443db07a62e488fd75474fc8
SHA512 4eaf602f32d3b1b111ac5998c58ac19cff939e1aac2e9a97a9673b7656035e80a270725c3eafed16189077c3e72735bd993ecc9433571ebc589c9e1d087abca7

memory/1372-146-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-149-0x0000000004370000-0x0000000004526000-memory.dmp

memory/452-150-0x0000000004530000-0x0000000004900000-memory.dmp

memory/452-151-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-152-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-153-0x0000000004370000-0x0000000004526000-memory.dmp

memory/452-154-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-155-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-156-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-157-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-158-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-159-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-161-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-162-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-163-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-164-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-165-0x0000000000400000-0x0000000002606000-memory.dmp

memory/452-166-0x0000000000400000-0x0000000002606000-memory.dmp