Malware Analysis Report

2024-10-19 01:10

Sample ID 230730-3df68abg33
Target b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
Tags
laplas clipper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2

Threat Level: Known bad

The file b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2 was found to be: Known bad.

Malicious Activity Summary

laplas clipper evasion persistence stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-30 23:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-30 23:23

Reported

2023-07-30 23:28

Platform

win7-20230712-en

Max time kernel

273s

Max time network

288s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe

"C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp

Files

memory/1136-53-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-54-0x0000000077A20000-0x0000000077BC9000-memory.dmp

memory/1136-55-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-56-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-57-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-58-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-59-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-60-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-61-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-62-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-63-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-64-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-65-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-66-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-67-0x0000000077A20000-0x0000000077BC9000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 d5e7c895eb1a32945a5fbf65d41631a7
SHA1 c7d3c5d94e19ee1f7874546dce7c955b4128a88d
SHA256 43ae7e474586ff89d3f5bce278418387f9445f52f8badf2975a4103919f6f31e
SHA512 4dacb73a4e293064feeac85f0585d33c14bcadd97b566cd1dd8957e31643097081faaa0bab29a4b22e96678f774d57ae2cc88f2c82ea24dabd0f6243ce674728

memory/1136-72-0x00000000011F0000-0x0000000001A8B000-memory.dmp

memory/1136-73-0x00000000286A0000-0x0000000028F3B000-memory.dmp

memory/1136-74-0x0000000077A20000-0x0000000077BC9000-memory.dmp

memory/2680-75-0x00000000001D0000-0x0000000000A6B000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 d5e7c895eb1a32945a5fbf65d41631a7
SHA1 c7d3c5d94e19ee1f7874546dce7c955b4128a88d
SHA256 43ae7e474586ff89d3f5bce278418387f9445f52f8badf2975a4103919f6f31e
SHA512 4dacb73a4e293064feeac85f0585d33c14bcadd97b566cd1dd8957e31643097081faaa0bab29a4b22e96678f774d57ae2cc88f2c82ea24dabd0f6243ce674728

memory/2680-76-0x0000000077A20000-0x0000000077BC9000-memory.dmp

memory/2680-77-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-78-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-79-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-80-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-81-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-83-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-82-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-84-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-85-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-86-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-87-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-88-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-89-0x0000000077A20000-0x0000000077BC9000-memory.dmp

memory/2680-90-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-91-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-92-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-93-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-94-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-95-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-98-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-99-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-100-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-101-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-102-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-103-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-104-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-105-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-106-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-107-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-108-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-109-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-110-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-111-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-112-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-113-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-114-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-115-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-116-0x00000000001D0000-0x0000000000A6B000-memory.dmp

memory/2680-117-0x00000000001D0000-0x0000000000A6B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-30 23:23

Reported

2023-07-30 23:28

Platform

win10-20230703-en

Max time kernel

290s

Max time network

256s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe

"C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/2684-122-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-123-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp

memory/2684-124-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-125-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-126-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-127-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-128-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-129-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-130-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-131-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-132-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-133-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-135-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-136-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp

memory/2684-137-0x0000000000A50000-0x00000000012EB000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 b3deb9b04ab98fd660748cb0eaccd5cc
SHA1 cf89e1affb2361a792a56cddeabb4a96af3f5a78
SHA256 2b94cc7c63d0bc8f424f6e13addb0a4af2a178ec2b9daa29ad848ae21213a068
SHA512 cfb842e12e3d76fa841c62e3ee590969c436d256a9ff97e2066eea117e2a78a100d673391eeaaaebe7b9edf1c2ce373c7ad8dd22115a529525ad9b2fdbf386ed

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 b3deb9b04ab98fd660748cb0eaccd5cc
SHA1 cf89e1affb2361a792a56cddeabb4a96af3f5a78
SHA256 2b94cc7c63d0bc8f424f6e13addb0a4af2a178ec2b9daa29ad848ae21213a068
SHA512 cfb842e12e3d76fa841c62e3ee590969c436d256a9ff97e2066eea117e2a78a100d673391eeaaaebe7b9edf1c2ce373c7ad8dd22115a529525ad9b2fdbf386ed

memory/1052-141-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/2684-142-0x0000000000A50000-0x00000000012EB000-memory.dmp

memory/2684-143-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp

memory/1052-144-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp

memory/1052-145-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-147-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-146-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-148-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-149-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-150-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-151-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-152-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-153-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-154-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-155-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-156-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-157-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-158-0x00007FFA7F410000-0x00007FFA7F5EB000-memory.dmp

memory/1052-159-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-160-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-161-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-163-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-164-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-165-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-166-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-167-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-168-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-169-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-170-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-171-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-172-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-173-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-174-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-175-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-176-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-177-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-178-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-179-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-180-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-181-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-182-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-183-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-184-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-185-0x0000000000AC0000-0x000000000135B000-memory.dmp

memory/1052-186-0x0000000000AC0000-0x000000000135B000-memory.dmp