Malware Analysis Report

2024-10-23 15:42

Sample ID 230725-w269zsfe6y
Target 18658dec7775fa53f081b892d6a2b027.exe
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
Tags
laplas clipper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554

Threat Level: Known bad

The file 18658dec7775fa53f081b892d6a2b027.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper evasion persistence stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-25 18:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-25 18:26

Reported

2023-07-25 18:28

Platform

win7-20230712-en

Max time kernel

139s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe

"C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp

Files

memory/1632-54-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-55-0x0000000077170000-0x0000000077319000-memory.dmp

memory/1632-56-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-57-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-59-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-58-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-60-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-61-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-62-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-64-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-63-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-65-0x0000000000010000-0x0000000000795000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 8bf956a7e2563b9d7da937485d01b77c
SHA1 14bfd31f2f4dd71e20d9912b5adc3d3be60a04f2
SHA256 b1d42b6b932e0542ee16ad3ee61ebe698d132d5ac49a82892f89955921a29183
SHA512 c82bed37eb6a93a8c5d5f25e1dce97383b8b18234870bd8e4d35cf63f67ced20c17b12d76bbd59e6fd83fef6b970dee7f85b032e847256f60dd2359c89f64928

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 8bf956a7e2563b9d7da937485d01b77c
SHA1 14bfd31f2f4dd71e20d9912b5adc3d3be60a04f2
SHA256 b1d42b6b932e0542ee16ad3ee61ebe698d132d5ac49a82892f89955921a29183
SHA512 c82bed37eb6a93a8c5d5f25e1dce97383b8b18234870bd8e4d35cf63f67ced20c17b12d76bbd59e6fd83fef6b970dee7f85b032e847256f60dd2359c89f64928

memory/1632-70-0x0000000028670000-0x0000000028DF5000-memory.dmp

memory/2072-72-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/1632-73-0x0000000000010000-0x0000000000795000-memory.dmp

memory/1632-74-0x0000000077170000-0x0000000077319000-memory.dmp

memory/2072-75-0x0000000077170000-0x0000000077319000-memory.dmp

memory/2072-76-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-77-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-78-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-79-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-80-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-81-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-82-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-83-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-84-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-85-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-86-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-87-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-88-0x0000000077170000-0x0000000077319000-memory.dmp

memory/2072-89-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-90-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-91-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-92-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-93-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-94-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-97-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-98-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-99-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-100-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-101-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-102-0x0000000000A40000-0x00000000011C5000-memory.dmp

memory/2072-103-0x0000000000A40000-0x00000000011C5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-25 18:26

Reported

2023-07-25 18:28

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe

"C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

memory/3492-133-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-134-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-135-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-136-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-137-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-138-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-139-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-140-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-141-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-142-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-143-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-144-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp

memory/3492-146-0x0000000000430000-0x0000000000BB5000-memory.dmp

memory/3492-148-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 ae919c6d9908bdb9de550f741b11c598
SHA1 89a6d400794ab29593cdb343f55444ad23dab0ac
SHA256 59747edc68011449b7d8141240db614e5bbb101054a9e785465135a9e8589d59
SHA512 55bbef3b5476838a67936c614d91207f759b2f01e3ee43cf8e6be690d8f833f49686b721fec83dbe78456cea073f52456045ae8fdf055218f54e93b28cc8febb

memory/3492-151-0x0000000000430000-0x0000000000BB5000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 ae919c6d9908bdb9de550f741b11c598
SHA1 89a6d400794ab29593cdb343f55444ad23dab0ac
SHA256 59747edc68011449b7d8141240db614e5bbb101054a9e785465135a9e8589d59
SHA512 55bbef3b5476838a67936c614d91207f759b2f01e3ee43cf8e6be690d8f833f49686b721fec83dbe78456cea073f52456045ae8fdf055218f54e93b28cc8febb

memory/380-153-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/3492-154-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp

memory/380-155-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-156-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-157-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-158-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-159-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-160-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-161-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-162-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-163-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-164-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-165-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-166-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp

memory/380-167-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-168-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-169-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-170-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-171-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp

memory/380-172-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-174-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-175-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-176-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-177-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-178-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-179-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-180-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-181-0x0000000000BD0000-0x0000000001355000-memory.dmp

memory/380-182-0x0000000000BD0000-0x0000000001355000-memory.dmp