Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4a1f597ed9...9e.exe

windows7-x64

10

4a1f597ed9...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2023, 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe

  • Size

    1.8MB

  • MD5

    68732e21f497396296e93fb7277add61

  • SHA1

    1fdec6fc0ab4647491cb163a732d985bf6e75f16

  • SHA256

    4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e

  • SHA512

    b3b2deb42b8c1362642ac725f24a3fc59eade40da1bf5e9f2a66e634ab8f7e3ad75a3eee65003be6532b808ad299ec293a9ceae024217a5de68aa41b61134305

  • SSDEEP

    49152:ZxP1ZMKdnhkmr5VlkA/azDEPKkb89KTYkr3T6:H1v9ViA/wkg9KTZ3T

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://clipper.guru

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://clipper.guru

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe
    "C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:4512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    593.6MB

    MD5

    a5b62feff7b3773f167cfa1598e657ae

    SHA1

    3131f8fc0854d0174e2d511f9a615da9de697fa3

    SHA256

    ccfe162b246bc3d9b867d0e97aca07dc9c0808b08cfdf545d189f0027de8d42f

    SHA512

    3227ecf1022b8e72474aca4f55c94aa4fd98dae31a01a8fea9da2d07f64798b5f22a7cfdcb16e6b8624f701a9dc7795e2e8f3099fc071dc1712f533f18c98b3a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    519.2MB

    MD5

    534db06b1e6a69fa02884ad797860f32

    SHA1

    23924acd4b77fc6bf55761875ac33ce23ea987dd

    SHA256

    721ea543d4a35cd201aa0261305dfe2fba8725d1540f3fa4968691295fcbec50

    SHA512

    7bc0a67f84eb7f8f8ccb2c53966f20b036ef6122e8694abc54e12778eb9c8a8ee0aefa26fa25d5a0860f93c05d34f4e6ce9378eb3b865778f7cf0566cad41801

    Download Submit

  • memory/1216-135-0x00000000042C0000-0x000000000446F000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1216-136-0x00000000044A0000-0x0000000004870000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1216-137-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/1216-139-0x00000000042C0000-0x000000000446F000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1216-140-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/1216-141-0x00000000044A0000-0x0000000004870000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1216-144-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-152-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-156-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-149-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-150-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-151-0x0000000004360000-0x0000000004511000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4512-147-0x0000000004360000-0x0000000004511000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4512-153-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-154-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-155-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-148-0x0000000004520000-0x00000000048F0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4512-157-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-159-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-160-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-161-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-162-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-163-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-164-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-165-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download

  • memory/4512-166-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

    Download