Malware Analysis Report

2024-10-23 15:43

Sample ID 230725-bvma1shg97
Target 68732e21f497396296e93fb7277add61.bin
SHA256 1661daf17ccb995736f0ddb77b1c47be24a3e126816c47764b30b9c82c3a51df
Tags
laplas clipper persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1661daf17ccb995736f0ddb77b1c47be24a3e126816c47764b30b9c82c3a51df

Threat Level: Known bad

The file 68732e21f497396296e93fb7277add61.bin was found to be: Known bad.

Malicious Activity Summary

laplas clipper persistence stealer

Laplas Clipper

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-25 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-25 01:27

Reported

2023-07-25 01:30

Platform

win7-20230712-en

Max time kernel

140s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe

"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 clipper.guru udp
NL 185.209.161.61:80 clipper.guru tcp

Files

memory/2012-54-0x0000000003FA0000-0x000000000414A000-memory.dmp

memory/2012-55-0x0000000003FA0000-0x000000000414A000-memory.dmp

memory/2012-56-0x0000000004150000-0x0000000004520000-memory.dmp

memory/2012-57-0x0000000000400000-0x0000000002606000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 d411e9b88453993c4ced925ac7979758
SHA1 5918bd49b766cb6b61c1f99160efa1e7faa53db2
SHA256 7ecc4808ab999d6a101bca6446706d0efffc0a4f0b37a7a75884d7ff9cddc345
SHA512 eaab8486a53216f6590459deb03ce7414ed453542066a80d3ba464fc26cbff1c72b744c32fedc889b16812f493de11b0bd742ee1a3d8752b58dfe72d14874687

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 e60cb6b605425a4081597d98f404c42b
SHA1 d46b6aa0b1e8eb39396a200d7090fa26c173e894
SHA256 bce38f3ab765b8049329be686652b04b4bab2d06025834c3de882ea8a9780994
SHA512 0c519a5dc0a6eb04bd6c333af4a887d70f29f3dda357648e7b9f91af1435a9356cd430d0eaf7b17e9f82fed0b0cb5f462ff0a51d87c7aa1d780397f3b9d8a704

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 088c3404b2dbfd53e77de7af7a184531
SHA1 031074eba4c8dc0c537bfdf38ee7ca8199f35df8
SHA256 76523d9c8233b2ed47eb29aeb072bd5f896dd0e4a63c1a6442736b5d85c4c3d7
SHA512 fa631767662cb0cf49c2f4bb9f9e1177f8bbd02f40d25158ba64363cd35e432a58117176f251fe97fc2c29abccc1c8b3485b01cd5469641427a5fac3ac6cb984

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 b303027803b604fa874988438ac1b6db
SHA1 eabe34c21f113ddc28b72a2c204e73eb2d1d4fbc
SHA256 9be26f1cd2a747aacb4b1b71b1b60605cdfd550bdf7a91dbb4c29e33f86ccee5
SHA512 c292f247a236c4d9ef2d06d62bcc90411e5b8064c55097faa50e4713c82d2aa2aa9183fc5a80a3cf62cbcc54823d87a672fc83ec650b43f71b7080dee32f4e7c

memory/2012-67-0x0000000003FA0000-0x000000000414A000-memory.dmp

memory/2012-66-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-68-0x0000000003FB0000-0x000000000415A000-memory.dmp

memory/2208-69-0x0000000003FB0000-0x000000000415A000-memory.dmp

memory/2012-71-0x0000000004150000-0x0000000004520000-memory.dmp

memory/2208-70-0x0000000004160000-0x0000000004530000-memory.dmp

memory/2208-72-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-73-0x0000000003FB0000-0x000000000415A000-memory.dmp

memory/2208-74-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-75-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-76-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-77-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-78-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-79-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-80-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-83-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-84-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-85-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-86-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-87-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-88-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2208-89-0x0000000000400000-0x0000000002606000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-25 01:27

Reported

2023-07-25 01:30

Platform

win10v2004-20230703-en

Max time kernel

151s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe

"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 clipper.guru udp
NL 185.209.161.61:80 clipper.guru tcp
US 8.8.8.8:53 61.161.209.185.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/1216-135-0x00000000042C0000-0x000000000446F000-memory.dmp

memory/1216-136-0x00000000044A0000-0x0000000004870000-memory.dmp

memory/1216-137-0x0000000000400000-0x0000000002606000-memory.dmp

memory/1216-139-0x00000000042C0000-0x000000000446F000-memory.dmp

memory/1216-140-0x0000000000400000-0x0000000002606000-memory.dmp

memory/1216-141-0x00000000044A0000-0x0000000004870000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 a5b62feff7b3773f167cfa1598e657ae
SHA1 3131f8fc0854d0174e2d511f9a615da9de697fa3
SHA256 ccfe162b246bc3d9b867d0e97aca07dc9c0808b08cfdf545d189f0027de8d42f
SHA512 3227ecf1022b8e72474aca4f55c94aa4fd98dae31a01a8fea9da2d07f64798b5f22a7cfdcb16e6b8624f701a9dc7795e2e8f3099fc071dc1712f533f18c98b3a

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 534db06b1e6a69fa02884ad797860f32
SHA1 23924acd4b77fc6bf55761875ac33ce23ea987dd
SHA256 721ea543d4a35cd201aa0261305dfe2fba8725d1540f3fa4968691295fcbec50
SHA512 7bc0a67f84eb7f8f8ccb2c53966f20b036ef6122e8694abc54e12778eb9c8a8ee0aefa26fa25d5a0860f93c05d34f4e6ce9378eb3b865778f7cf0566cad41801

memory/1216-144-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-147-0x0000000004360000-0x0000000004511000-memory.dmp

memory/4512-148-0x0000000004520000-0x00000000048F0000-memory.dmp

memory/4512-149-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-150-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-151-0x0000000004360000-0x0000000004511000-memory.dmp

memory/4512-152-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-153-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-154-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-155-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-156-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-157-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-159-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-160-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-161-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-162-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-163-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-164-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-165-0x0000000000400000-0x0000000002606000-memory.dmp

memory/4512-166-0x0000000000400000-0x0000000002606000-memory.dmp