Malware Analysis Report

2024-10-19 01:10

Sample ID 230730-feyrbsha4x
Target 26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc
SHA256 26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc
Tags
laplas clipper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc

Threat Level: Known bad

The file 26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc was found to be: Known bad.

Malicious Activity Summary

laplas clipper evasion persistence stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of WriteProcessMemory

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-30 04:47

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-30 04:47

Reported

2023-07-30 04:52

Platform

win10-20230703-en

Max time kernel

297s

Max time network

278s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe

"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
NL 185.209.161.89:80 185.209.161.89 tcp
US 8.8.8.8:53 89.161.209.185.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp

Files

memory/4268-117-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-118-0x00007FFE423B0000-0x00007FFE4258B000-memory.dmp

memory/4268-119-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-120-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-121-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-122-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-123-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-124-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-125-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-126-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-127-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-128-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-130-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/4268-132-0x00007FFE423B0000-0x00007FFE4258B000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 12f3f34f996d4e2f202e14129cd4148e
SHA1 d5a29e0c70251bd16ac6d4b7c1bae3ade3665c81
SHA256 cb56572a3f422ff1cfc87f0fc7387ebe6f7e5f05e1c4ac6d764d82febc13be3c
SHA512 7c7f8f7754e1e200ff7ed57c017b347160fa261426c8030406fe32a03ad26c85dadcef0ca390bb8aab8642dd5d090ea1d40126703488575737477f8e2712e222

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 12f3f34f996d4e2f202e14129cd4148e
SHA1 d5a29e0c70251bd16ac6d4b7c1bae3ade3665c81
SHA256 cb56572a3f422ff1cfc87f0fc7387ebe6f7e5f05e1c4ac6d764d82febc13be3c
SHA512 7c7f8f7754e1e200ff7ed57c017b347160fa261426c8030406fe32a03ad26c85dadcef0ca390bb8aab8642dd5d090ea1d40126703488575737477f8e2712e222

memory/4268-135-0x00000000003C0000-0x0000000000BAD000-memory.dmp

memory/2376-137-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/4268-138-0x00007FFE423B0000-0x00007FFE4258B000-memory.dmp

memory/2376-139-0x00007FFE423B0000-0x00007FFE4258B000-memory.dmp

memory/2376-140-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-141-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-142-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-143-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-144-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-145-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-146-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-147-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-148-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-149-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-150-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-151-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-152-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-153-0x00007FFE423B0000-0x00007FFE4258B000-memory.dmp

memory/2376-154-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-155-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-157-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-158-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-159-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-160-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-161-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-162-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-163-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-164-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-165-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-166-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-167-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-168-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-169-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-170-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-171-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-172-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-173-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-174-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-175-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-176-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-177-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-178-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-179-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-180-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-181-0x0000000000EB0000-0x000000000169D000-memory.dmp

memory/2376-182-0x0000000000EB0000-0x000000000169D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-30 04:47

Reported

2023-07-30 04:52

Platform

win7-20230712-en

Max time kernel

269s

Max time network

280s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe

"C:\Users\Admin\AppData\Local\Temp\26d701422ad9fcb12ec3bf5efa2ce6df83e425cfcd61c6c393c4aaad3a46b7cc.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
NL 185.209.161.89:80 185.209.161.89 tcp

Files

memory/2856-54-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-55-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/2856-56-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-57-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-58-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-59-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-60-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-61-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-64-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-65-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-63-0x00000000013B0000-0x0000000001B9D000-memory.dmp

memory/2856-62-0x00000000013B0000-0x0000000001B9D000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 0b48380ae7ff9e2fb79012099197207b
SHA1 9b2329dee7e45b4ed458214b92e9bb21676f6c5e
SHA256 83093c28df38bfec68da27fdb6314e189f6ce5eaeea605e65831840f69ab8916
SHA512 d1fea4f2d00d8ec314756f111c3eec86b1118133c0771dedaf1c64d015ee1b609ea0c5cc05b9e5a388346e54af2f520b80814a908eaba3b58ba5858d085d808e

memory/2856-70-0x0000000028840000-0x000000002902D000-memory.dmp

memory/2856-73-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/2856-72-0x00000000013B0000-0x0000000001B9D000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 0b48380ae7ff9e2fb79012099197207b
SHA1 9b2329dee7e45b4ed458214b92e9bb21676f6c5e
SHA256 83093c28df38bfec68da27fdb6314e189f6ce5eaeea605e65831840f69ab8916
SHA512 d1fea4f2d00d8ec314756f111c3eec86b1118133c0771dedaf1c64d015ee1b609ea0c5cc05b9e5a388346e54af2f520b80814a908eaba3b58ba5858d085d808e

memory/2896-74-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-75-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/2896-76-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-77-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-79-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-78-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-80-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-81-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-82-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-83-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-84-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-85-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-86-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-87-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-88-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/2896-89-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-90-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-91-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-94-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-95-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-96-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-97-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-98-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-99-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-100-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-101-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-102-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-103-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-104-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-105-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-106-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-107-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-108-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-109-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-110-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-111-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-112-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-113-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-114-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-115-0x00000000009E0000-0x00000000011CD000-memory.dmp

memory/2896-116-0x00000000009E0000-0x00000000011CD000-memory.dmp