Malware Analysis Report

2024-10-19 01:10

Sample ID 230730-1xt63sbe79
Target svchost.exe
SHA256 2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
Tags
laplas clipper persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

Threat Level: Known bad

The file svchost.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper persistence stealer

Laplas Clipper

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-30 22:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-30 22:02

Reported

2023-07-30 22:04

Platform

win7-20230712-en

Max time kernel

120s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
NL 185.209.161.189:80 185.209.161.189 tcp

Files

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 15560bc296ebe98275dab69f5513ae6a
SHA1 9538d8a6459771ac3bbdeedfd61d2cb29a1db415
SHA256 9b47151586b062a33693c4f2b815042d0d92675f6a49ae8c89dee0954d09cb6b
SHA512 e22a89a5f64d5837262cb0cd450c7c4bc512c6e46a702247806c68707d19b46cdf34cd5f6621aa5ea7bcb7bedfde3053d4d0f4f9b6f2d9e9279c602c4f0d7957

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 311452185ea5f73635dc04245bffd137
SHA1 067a4dbab7612a60920811f4242a9077c9e14281
SHA256 818b3c3898554f16c4ae48baa1e02cd7f1030e03787832a51f7f4f9c182eb9ea
SHA512 f230f77031b181e07b2821522b52f5147560b27e1a44bb942e50fec5b59c78b92888a21bc8d28f9d7b38e49074bc4f1a131d18fcb36ed1b33dfba60d80e6f0fd

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 e4dabe85058ba819c94d2cd8e28678a8
SHA1 8a6f4229b7d786479709700fedb54ae0da3f0a42
SHA256 f1005820a8c55e9975075569ffb12b26fd3877a34b1b32cf5a01b4ded8798e3e
SHA512 503bda6c5313eb7e1094fd96cb0a113f45c6ef9a84c880bbb9f51b7469591daea3157e5ea437a1a8d8bfac4bc3f9a38188456871551f2602ae3af3edfb9c2465

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-30 22:02

Reported

2023-07-30 22:04

Platform

win10-20230703-en

Max time kernel

129s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4312 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 4312 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
NL 185.209.161.189:80 185.209.161.189 tcp
US 8.8.8.8:53 189.161.209.185.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 fadf22508bc4adf0aa23d76037b8abfb
SHA1 41427da2394a46c1f1379c5dcf7530ca105c363a
SHA256 963dba95f68b4cbaf0dd7d5e0fc7f002e1774c1cd120c7344964483b31af0c07
SHA512 404b099b4d1082d49858c60fbb8976b70f6dc1229121ef4c41853f710b4891271676dab5922b02af83ccbe32e1495c2d7c6fd33b86652cd8b0a78a0cc76183c0

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 fadf22508bc4adf0aa23d76037b8abfb
SHA1 41427da2394a46c1f1379c5dcf7530ca105c363a
SHA256 963dba95f68b4cbaf0dd7d5e0fc7f002e1774c1cd120c7344964483b31af0c07
SHA512 404b099b4d1082d49858c60fbb8976b70f6dc1229121ef4c41853f710b4891271676dab5922b02af83ccbe32e1495c2d7c6fd33b86652cd8b0a78a0cc76183c0

Analysis: behavioral3

Detonation Overview

Submitted

2023-07-30 22:02

Reported

2023-07-30 22:04

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2780 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 185.209.161.189:80 185.209.161.189 tcp
US 8.8.8.8:53 189.161.209.185.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 fadf22508bc4adf0aa23d76037b8abfb
SHA1 41427da2394a46c1f1379c5dcf7530ca105c363a
SHA256 963dba95f68b4cbaf0dd7d5e0fc7f002e1774c1cd120c7344964483b31af0c07
SHA512 404b099b4d1082d49858c60fbb8976b70f6dc1229121ef4c41853f710b4891271676dab5922b02af83ccbe32e1495c2d7c6fd33b86652cd8b0a78a0cc76183c0

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 fadf22508bc4adf0aa23d76037b8abfb
SHA1 41427da2394a46c1f1379c5dcf7530ca105c363a
SHA256 963dba95f68b4cbaf0dd7d5e0fc7f002e1774c1cd120c7344964483b31af0c07
SHA512 404b099b4d1082d49858c60fbb8976b70f6dc1229121ef4c41853f710b4891271676dab5922b02af83ccbe32e1495c2d7c6fd33b86652cd8b0a78a0cc76183c0