Malware Analysis Report

2024-10-19 01:12

Sample ID 230730-pbgs3shb33
Target b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
Tags
laplas clipper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2

Threat Level: Known bad

The file b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2 was found to be: Known bad.

Malicious Activity Summary

laplas clipper evasion persistence stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-30 12:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-30 12:09

Reported

2023-07-30 12:11

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe

"C:\Users\Admin\AppData\Local\Temp\b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4700-133-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-134-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/4700-135-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-136-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-137-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-138-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-139-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-140-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-141-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-142-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-143-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-144-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-145-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-147-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-148-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/4700-149-0x0000000000770000-0x000000000100B000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 3879af56c4fd2611f62747bb2e680e9b
SHA1 5c5a7dcc753839a106a77f9ce4b162a01c0a9092
SHA256 37bab37ddcdd3ab7fc2c66234ba576a591c2696d701eb3dfe4ccc7cf2c495c87
SHA512 d96fccb5f2103ab065bc5f84a8eb7560d2f83ceacacc51d7daffef0ea1229428bb7bb5ce4be8f120d093ef1750566a55405ddb4edf01feb2474961112ba29078

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 d332acd98126e8cf917c64303caa8b61
SHA1 13fbf31e33dc94427e3edce3a984472a2736eef3
SHA256 065622f38acf805b538e241cf4c0eb2a02a4c764471c8552357382c92823b45b
SHA512 19280c04298cdd355d50cba2081338aedb73a47f14fdd7a8fe3dcaddf4164d9ea5f2522461c04685f699e250d5a44d675ed7d7fe0b982c16c2e850e4c85fc271

memory/3548-154-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/4700-153-0x0000000000770000-0x000000000100B000-memory.dmp

memory/4700-156-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/3548-157-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/3548-158-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-159-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-160-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-161-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-163-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-164-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-165-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-166-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-167-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-168-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-169-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-170-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-171-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/3548-172-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-173-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-174-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-175-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-176-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-177-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-179-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-180-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-181-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-182-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-183-0x0000000000C60000-0x00000000014FB000-memory.dmp

memory/3548-184-0x0000000000C60000-0x00000000014FB000-memory.dmp