Malware Analysis Report

2024-10-19 01:10

Sample ID 230730-3a6byabf79
Target 26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc
SHA256 26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc
Tags
laplas clipper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc

Threat Level: Known bad

The file 26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc was found to be: Known bad.

Malicious Activity Summary

laplas clipper evasion persistence stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-30 23:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-30 23:19

Reported

2023-07-30 23:25

Platform

win7-20230712-en

Max time kernel

299s

Max time network

335s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe

"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
NL 185.209.161.89:80 185.209.161.89 tcp

Files

memory/484-54-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-55-0x0000000077920000-0x0000000077AC9000-memory.dmp

memory/484-56-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-57-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-58-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-59-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-60-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-61-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-62-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-63-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-65-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-64-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-66-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-67-0x0000000077920000-0x0000000077AC9000-memory.dmp

memory/484-68-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-69-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-70-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/484-71-0x0000000000C10000-0x00000000013FD000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 83928261525456d29f59dca1ed2d2d3e
SHA1 24380f35a6d9ad7ad10f30c88add55cb50e4745f
SHA256 14a8205709b18a3d40c4526a84fd01786a8703000c92077450ceca3840f293ad
SHA512 fd25adc24cc9c68c77fbbc26f4e427ab8002203cba30a0db7416c70e400a411fb1aa730c60c6988cc290d575d0624ce78b2856f3ea5e35db3380f11528b30a20

memory/484-76-0x00000000287F0000-0x0000000028FDD000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 83928261525456d29f59dca1ed2d2d3e
SHA1 24380f35a6d9ad7ad10f30c88add55cb50e4745f
SHA256 14a8205709b18a3d40c4526a84fd01786a8703000c92077450ceca3840f293ad
SHA512 fd25adc24cc9c68c77fbbc26f4e427ab8002203cba30a0db7416c70e400a411fb1aa730c60c6988cc290d575d0624ce78b2856f3ea5e35db3380f11528b30a20

memory/2640-78-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/484-79-0x0000000077920000-0x0000000077AC9000-memory.dmp

memory/484-77-0x0000000000C10000-0x00000000013FD000-memory.dmp

memory/2640-80-0x0000000077920000-0x0000000077AC9000-memory.dmp

memory/2640-81-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-82-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-83-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-84-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-85-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-86-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-87-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-88-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-89-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-90-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-91-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-92-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-93-0x0000000077920000-0x0000000077AC9000-memory.dmp

memory/2640-94-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-95-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-96-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-99-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-100-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-101-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-102-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-103-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-104-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-105-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-106-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-107-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-108-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-109-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-110-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-111-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-112-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-113-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-114-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-115-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-116-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-117-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-118-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-119-0x00000000001F0000-0x00000000009DD000-memory.dmp

memory/2640-120-0x00000000001F0000-0x00000000009DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-30 23:19

Reported

2023-07-30 23:24

Platform

win10-20230703-en

Max time kernel

291s

Max time network

248s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe

"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
NL 185.209.161.89:80 185.209.161.89 tcp
US 8.8.8.8:53 89.161.209.185.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.0.0.0.0.f.6.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/380-117-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-118-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

memory/380-119-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-120-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-121-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-122-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-123-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-124-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-125-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-126-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-127-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-128-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-130-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/380-131-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 af330f0b7212163246bec30474a8a35a
SHA1 5209d326bf5ba18b7606296f27697fc3b78bc4cc
SHA256 d8bf3d35bc23529b1605dc8bcaedbae47e4b3f3c8ef8fb41ca1fbf867846bb5b
SHA512 90d2f1a358624b80ef88af0264bd99ccb99d1e015c83296359320b973f0f52475cf81aa340f5b9fcb469aeacbf8e6dc0860c6c24d86823e9b71dc4facaabaf4a

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 af330f0b7212163246bec30474a8a35a
SHA1 5209d326bf5ba18b7606296f27697fc3b78bc4cc
SHA256 d8bf3d35bc23529b1605dc8bcaedbae47e4b3f3c8ef8fb41ca1fbf867846bb5b
SHA512 90d2f1a358624b80ef88af0264bd99ccb99d1e015c83296359320b973f0f52475cf81aa340f5b9fcb469aeacbf8e6dc0860c6c24d86823e9b71dc4facaabaf4a

memory/380-135-0x0000000000E60000-0x000000000164D000-memory.dmp

memory/3308-137-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/380-136-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

memory/3308-138-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

memory/3308-139-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-140-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-141-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-142-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-143-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-144-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-145-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-147-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-148-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-149-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-150-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-151-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-152-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-153-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp

memory/3308-154-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-155-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-157-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-158-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-159-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-160-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-161-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-162-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-163-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-164-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-165-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-166-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-167-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-168-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-169-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-170-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-171-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-172-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-173-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-174-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-175-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-176-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-177-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-178-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-179-0x0000000000DB0000-0x000000000159D000-memory.dmp

memory/3308-180-0x0000000000DB0000-0x000000000159D000-memory.dmp