Malware Analysis Report

2024-10-23 15:43

Sample ID 230726-qadkpscb5t
Target NA_17ca2de661fa07dd83a55a500_JC.exe
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
Tags
laplas clipper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554

Threat Level: Known bad

The file NA_17ca2de661fa07dd83a55a500_JC.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper evasion persistence stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-26 13:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-26 13:03

Reported

2023-07-26 13:05

Platform

win7-20230712-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp

Files

memory/2096-54-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-55-0x00000000770D0000-0x0000000077279000-memory.dmp

memory/2096-56-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-57-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-58-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-59-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-60-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-61-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-62-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-64-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-65-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-63-0x0000000000C30000-0x00000000013B5000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 f372fd589d99ff2e74ab5997f1a56f3b
SHA1 b2cbde4e3e0904abcec23efb27cb17a3f49486f6
SHA256 9992c3a0da97007258c26b9c93781599090f8eaa965b8ed9709f10a5a948000a
SHA512 5ecd747ce888ff5876c567c7f3d1bbf6f3aa3b4caedb4096481c2d342298225e4295ab1cb213ec8f72f5437604491ac5e115d606a500bd324f5f965ee29be2f5

memory/2096-69-0x0000000000C30000-0x00000000013B5000-memory.dmp

memory/2096-72-0x00000000287D0000-0x0000000028F55000-memory.dmp

memory/2096-71-0x0000000000C30000-0x00000000013B5000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 f372fd589d99ff2e74ab5997f1a56f3b
SHA1 b2cbde4e3e0904abcec23efb27cb17a3f49486f6
SHA256 9992c3a0da97007258c26b9c93781599090f8eaa965b8ed9709f10a5a948000a
SHA512 5ecd747ce888ff5876c567c7f3d1bbf6f3aa3b4caedb4096481c2d342298225e4295ab1cb213ec8f72f5437604491ac5e115d606a500bd324f5f965ee29be2f5

memory/1284-74-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/2096-73-0x00000000770D0000-0x0000000077279000-memory.dmp

memory/1284-76-0x00000000770D0000-0x0000000077279000-memory.dmp

memory/1284-77-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-78-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-79-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-80-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-82-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-81-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-84-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-83-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-85-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-86-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-87-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-88-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-89-0x00000000770D0000-0x0000000077279000-memory.dmp

memory/1284-90-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-91-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-92-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-93-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-94-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-95-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-98-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-99-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-100-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-101-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-102-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-103-0x00000000002A0000-0x0000000000A25000-memory.dmp

memory/1284-104-0x00000000002A0000-0x0000000000A25000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-26 13:03

Reported

2023-07-26 13:05

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NA_17ca2de661fa07dd83a55a500_JC.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

memory/4316-133-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-134-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-135-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-136-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-137-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-138-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-139-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-140-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-141-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-142-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-143-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4316-144-0x00007FFA4BF30000-0x00007FFA4C125000-memory.dmp

memory/4316-146-0x00000000008B0000-0x0000000001035000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 152d823f0b11bb11d5f7181a76dae45b
SHA1 57c72ecad925a9f180b9688e6c016df602944e3a
SHA256 b036d2137a12c4ae4a82606dce38cd0d255658dbc0fb7e91d31b3df62c3b3b36
SHA512 a193d2104c82cc16349fc7951d6a50b9ac5e7cb8895ded05e313b0564a52bf62ea7e92f48c4fd1ce1135f4e042c329d0af5df2673cea983720013fc005fca6ac

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 152d823f0b11bb11d5f7181a76dae45b
SHA1 57c72ecad925a9f180b9688e6c016df602944e3a
SHA256 b036d2137a12c4ae4a82606dce38cd0d255658dbc0fb7e91d31b3df62c3b3b36
SHA512 a193d2104c82cc16349fc7951d6a50b9ac5e7cb8895ded05e313b0564a52bf62ea7e92f48c4fd1ce1135f4e042c329d0af5df2673cea983720013fc005fca6ac

memory/4316-151-0x00007FFA4BF30000-0x00007FFA4C125000-memory.dmp

memory/4316-149-0x00000000008B0000-0x0000000001035000-memory.dmp

memory/4332-152-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4316-153-0x00007FFA4BF30000-0x00007FFA4C125000-memory.dmp

memory/4332-154-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-155-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-156-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-157-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-158-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-159-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-160-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-161-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-162-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-163-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-164-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-165-0x00007FFA4BF30000-0x00007FFA4C125000-memory.dmp

memory/4332-166-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-167-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-168-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-169-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-170-0x00007FFA4BF30000-0x00007FFA4C125000-memory.dmp

memory/4332-171-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-173-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-174-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-175-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-176-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-177-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-178-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-179-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-180-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-181-0x0000000000960000-0x00000000010E5000-memory.dmp

memory/4332-182-0x0000000000960000-0x00000000010E5000-memory.dmp