Malware Analysis Report

2024-10-23 15:43

Sample ID 230727-n1yx8aeh9v
Target taskhostclp.exe
SHA256 b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
Tags
laplas clipper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106

Threat Level: Known bad

The file taskhostclp.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper evasion persistence stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of WriteProcessMemory

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-27 11:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-27 11:52

Reported

2023-07-27 11:55

Platform

win7-20230712-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 206.189.229.43:80 206.189.229.43 tcp

Files

memory/1664-54-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-55-0x0000000076EA0000-0x0000000077049000-memory.dmp

memory/1664-56-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-57-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-58-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-59-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-60-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-61-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-62-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-63-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-64-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-65-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-66-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1664-67-0x0000000000880000-0x00000000010EC000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 6b3381a04b3c25380a49308e56937abb
SHA1 22a054745c6fcd0a19890df72cd4e079e4553cf6
SHA256 1b6285d9f6f887a5b565280afed136c4d33cded05a18c5f906f61a1cc6c88d4e
SHA512 c6bd7be8676a8e2974e9fac9ded00e5c68bbef5cf43048f89058b7886436ca8199a1f4ad151561e1d395f01b7c627dae0c8dab43523c5508c4dcc626819d00c2

memory/1664-70-0x0000000076EA0000-0x0000000077049000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 6b3381a04b3c25380a49308e56937abb
SHA1 22a054745c6fcd0a19890df72cd4e079e4553cf6
SHA256 1b6285d9f6f887a5b565280afed136c4d33cded05a18c5f906f61a1cc6c88d4e
SHA512 c6bd7be8676a8e2974e9fac9ded00e5c68bbef5cf43048f89058b7886436ca8199a1f4ad151561e1d395f01b7c627dae0c8dab43523c5508c4dcc626819d00c2

memory/1664-74-0x0000000028670000-0x0000000028EDC000-memory.dmp

memory/1664-73-0x0000000000880000-0x00000000010EC000-memory.dmp

memory/1484-75-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1664-76-0x0000000076EA0000-0x0000000077049000-memory.dmp

memory/1484-77-0x0000000076EA0000-0x0000000077049000-memory.dmp

memory/1484-78-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-79-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-80-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-81-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-82-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-83-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-84-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-85-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-86-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-87-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-88-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-89-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-90-0x0000000076EA0000-0x0000000077049000-memory.dmp

memory/1484-91-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-92-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-93-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-94-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-95-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-96-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-99-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-100-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-101-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-102-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-103-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-104-0x0000000001380000-0x0000000001BEC000-memory.dmp

memory/1484-105-0x0000000001380000-0x0000000001BEC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-27 11:52

Reported

2023-07-27 11:55

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 3568 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 206.189.229.43:80 206.189.229.43 tcp
US 8.8.8.8:53 43.229.189.206.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 126.149.241.8.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 208.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/3568-133-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-134-0x00007FF819190000-0x00007FF819385000-memory.dmp

memory/3568-135-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-136-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-137-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-138-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-139-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-140-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-141-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-142-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-143-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-144-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-145-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-146-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-148-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/3568-149-0x00007FF819190000-0x00007FF819385000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 919c4128783597bfae6c7b7448c27ae8
SHA1 acfa530fcbfde74cf903e86611873b19b341f7df
SHA256 c2cd8d77948ed6df3f22c2350ba153d79866ae3a91e6d2c11eb24c38b737a429
SHA512 4e078bc08670fa1088039f07b3b61d160f2b756bbd24fb833926163fc348dbf59951b936bb385fa3ca36fe2c8f5d62d1466002d97d872a3d8472155837178ad6

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 9bd3df033c806d3465a0b9509e09f1f1
SHA1 c34fae7f61afa42ec6381db2d1e1800449f00006
SHA256 44c41dcc6ee3c3993ce8e84607a844b5e8d012474ad67df4c9ed3ed5b59d164e
SHA512 e4a0c2fb96bb6ef1793cdb49050a7f0b3b648e38411fd27309a1ed0358346126237cd8ad6a078bf98e07d8ca5410f3d2f15df197cc875cdab2c0248c39da7031

memory/3568-152-0x00000000006A0000-0x0000000000F0C000-memory.dmp

memory/968-154-0x0000000000920000-0x000000000118C000-memory.dmp

memory/3568-155-0x00007FF819190000-0x00007FF819385000-memory.dmp

memory/968-156-0x00007FF819190000-0x00007FF819385000-memory.dmp

memory/968-157-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-158-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-159-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-160-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-161-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-162-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-163-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-165-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-166-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-167-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-168-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-169-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-170-0x00007FF819190000-0x00007FF819385000-memory.dmp

memory/968-171-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-172-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-173-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-175-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-176-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-177-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-178-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-179-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-180-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-181-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-182-0x0000000000920000-0x000000000118C000-memory.dmp

memory/968-183-0x0000000000920000-0x000000000118C000-memory.dmp