Malware Analysis Report

2024-10-23 15:42

Sample ID 230727-bcxn2ahd6w
Target 18658dec7775fa53f081b892d6a2b027.bin
SHA256 7e8bcb5a4cf982060f3f7fbb291e672849267ef3004034f739e18a2c5c90ae53
Tags
laplas clipper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e8bcb5a4cf982060f3f7fbb291e672849267ef3004034f739e18a2c5c90ae53

Threat Level: Known bad

The file 18658dec7775fa53f081b892d6a2b027.bin was found to be: Known bad.

Malicious Activity Summary

laplas clipper evasion persistence stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of WriteProcessMemory

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-27 01:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-27 01:00

Reported

2023-07-27 01:03

Platform

win7-20230712-en

Max time kernel

134s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe

"C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp

Files

memory/2624-54-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-55-0x0000000077900000-0x0000000077AA9000-memory.dmp

memory/2624-56-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-57-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-58-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-59-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-60-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-61-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-62-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-64-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-63-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-65-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2624-67-0x0000000000880000-0x0000000001005000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 5aa1de4fc0ece62c6a291ca3c13cc210
SHA1 aee820d22783e7628d233546c464119176b7e858
SHA256 78ce9b2384cd240149cb7fddc21c66243baed5451d19fa8e707c461c68bc8f9f
SHA512 79063a254f99297c2e29c9285d14f95bddfc2c8f034032c6d611aa7287c30d357b4f76c89dd4e720800c921a35db93f394bd0f5d2eaf6c04f703a1c42ecc43fc

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 5aa1de4fc0ece62c6a291ca3c13cc210
SHA1 aee820d22783e7628d233546c464119176b7e858
SHA256 78ce9b2384cd240149cb7fddc21c66243baed5451d19fa8e707c461c68bc8f9f
SHA512 79063a254f99297c2e29c9285d14f95bddfc2c8f034032c6d611aa7287c30d357b4f76c89dd4e720800c921a35db93f394bd0f5d2eaf6c04f703a1c42ecc43fc

memory/2624-72-0x0000000077900000-0x0000000077AA9000-memory.dmp

memory/2624-74-0x0000000028760000-0x0000000028EE5000-memory.dmp

memory/2624-73-0x0000000077900000-0x0000000077AA9000-memory.dmp

memory/2624-71-0x0000000000880000-0x0000000001005000-memory.dmp

memory/2124-75-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-76-0x0000000077900000-0x0000000077AA9000-memory.dmp

memory/2124-77-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-78-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-79-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-80-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-81-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-82-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-83-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-84-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-85-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-86-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2624-87-0x0000000028760000-0x0000000028EE5000-memory.dmp

memory/2124-88-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-89-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-90-0x0000000077900000-0x0000000077AA9000-memory.dmp

memory/2124-91-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-92-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-93-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-96-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-97-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-98-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-99-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-100-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-101-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-102-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-103-0x0000000000A10000-0x0000000001195000-memory.dmp

memory/2124-104-0x0000000000A10000-0x0000000001195000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-27 01:00

Reported

2023-07-27 01:03

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe

"C:\Users\Admin\AppData\Local\Temp\17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/2992-133-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-134-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-135-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-136-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-137-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-138-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-139-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-140-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-141-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-142-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-143-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-144-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/2992-145-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-147-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-148-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 4f269a6419954c9a3c70a655708b6cf6
SHA1 e4299f2944416686dfe76aeffce949e9eefc7d6e
SHA256 0ad61bbad3c6998af487819d4511c9aa6613d2f7de451e7813a14d40b738ba12
SHA512 08c52f3893be9db312a10cce92d73c779369124512753891a86dd93c5f55db017cb9a52ec4ee73c599bc4fa0edf17bad9df349f1b9ceb1e7986df8a088c66a2d

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 f4322524c0e14d9007068c65fd1e9473
SHA1 c2a9ff11edeffe6acd3240b133807d381aad4f27
SHA256 d0171176c96563a06762f572ece2f09d88cdfc14ee9e3f73337e7ba0f836e886
SHA512 bd00f631d0d60e4844e8b5fe045eda04ba76aaaf7807bd877db24af3dc629f4fe413407f3874baf314930e46156074e1802466c710a27f2256a0dc9ea8e61b1c

memory/4816-153-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/2992-152-0x00000000000F0000-0x0000000000875000-memory.dmp

memory/2992-154-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/4816-155-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-156-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-157-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-158-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-159-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-160-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-161-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-162-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-163-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-165-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-166-0x00007FFFA8AF0000-0x00007FFFA8CE5000-memory.dmp

memory/4816-167-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-168-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-169-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-170-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-172-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-173-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-174-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-175-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-176-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-177-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-178-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-179-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-180-0x00000000002B0000-0x0000000000A35000-memory.dmp

memory/4816-181-0x00000000002B0000-0x0000000000A35000-memory.dmp