Malware Analysis Report

2024-10-19 01:10

Sample ID 230731-h8zxlaec3y
Target b30e29bccabab032c27910210d9ccf76.exe
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
Tags
laplas clipper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2

Threat Level: Known bad

The file b30e29bccabab032c27910210d9ccf76.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper evasion persistence stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-31 07:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-31 07:25

Reported

2023-07-31 07:27

Platform

win7-20230712-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe

"C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp

Files

memory/2236-54-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-55-0x0000000077C50000-0x0000000077DF9000-memory.dmp

memory/2236-56-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-57-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-58-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-59-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-60-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-61-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-62-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-63-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-64-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-65-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-67-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-68-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-69-0x0000000077C50000-0x0000000077DF9000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 bfb87a1f1c538ea46f6d7bf27209a569
SHA1 3a5c83fbd953c5c3151d3e2e3257348922f2ca4e
SHA256 75b5a9691ee04870c1f839bfbd29a5a7366df72a6a43ad6d8b8b23fc4daf43ee
SHA512 6f717e47f3bb10d3e017b7e7a2b30c023fedf4da2488480a39d09033b7773f8f630f80694f59607d712de4a98210eed35a9a87ad3dca8e108392eae2cd57d093

memory/2236-73-0x00000000287C0000-0x000000002905B000-memory.dmp

memory/2236-75-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/2236-74-0x0000000001200000-0x0000000001A9B000-memory.dmp

memory/3068-76-0x0000000000140000-0x00000000009DB000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 8f320a6035f69581344c57721fac9a12
SHA1 d3bb8d942e3e0bd00707d410b8d0f364ae5b32ee
SHA256 f11b63d8498c3601f5c5a5023c1e4640a1866c0932bdd1189ae5fdd3b33eb2e3
SHA512 e4f830fb88e4948dff7b7ec1d715288a172b832955737ce7dbdfeea4210555382afa48447f65710ba347ef011ac43758072847769d97de8e7b642d4bbcb61bd6

memory/2236-77-0x0000000077C50000-0x0000000077DF9000-memory.dmp

memory/3068-78-0x0000000077C50000-0x0000000077DF9000-memory.dmp

memory/3068-79-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-80-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-81-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-82-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-83-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-84-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-85-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-86-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-87-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-88-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-89-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-90-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-91-0x0000000077C50000-0x0000000077DF9000-memory.dmp

memory/3068-92-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-93-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-94-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-95-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-96-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-97-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-100-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-101-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-102-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-103-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-104-0x0000000000140000-0x00000000009DB000-memory.dmp

memory/3068-105-0x0000000000140000-0x00000000009DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-31 07:25

Reported

2023-07-31 07:27

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe

"C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4624-133-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-134-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp

memory/4624-135-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-136-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-137-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-138-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-139-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-140-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-141-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-142-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-143-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-144-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-146-0x00000000000F0000-0x000000000098B000-memory.dmp

memory/4624-147-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp

memory/4624-150-0x00000000000F0000-0x000000000098B000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 b71a746434cf121bc49b19759cca27c2
SHA1 c2e39f10194ba5f876b91371590e70d6bf9bd75f
SHA256 7fc0a1e1cd3e3245cf851477bfde98e4b1b5bc5c344dfa876b4a22c09ff9b898
SHA512 e8aee8f2697f069f9a9471565f91eb877714c2ccc08286ad233ac7631efff7023d9e488dfebbd24dac60472a25d8b05a25df363be671eb9550527edef9a2a5cd

memory/2040-152-0x0000000000930000-0x00000000011CB000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 b71a746434cf121bc49b19759cca27c2
SHA1 c2e39f10194ba5f876b91371590e70d6bf9bd75f
SHA256 7fc0a1e1cd3e3245cf851477bfde98e4b1b5bc5c344dfa876b4a22c09ff9b898
SHA512 e8aee8f2697f069f9a9471565f91eb877714c2ccc08286ad233ac7631efff7023d9e488dfebbd24dac60472a25d8b05a25df363be671eb9550527edef9a2a5cd

memory/4624-153-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp

memory/2040-154-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-155-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp

memory/2040-156-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-157-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-158-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-159-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-160-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-161-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-162-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-163-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-164-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-165-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-166-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-167-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-168-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-169-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp

memory/2040-170-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-171-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-173-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-174-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-175-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-176-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-177-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-178-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-179-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-180-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-181-0x0000000000930000-0x00000000011CB000-memory.dmp

memory/2040-182-0x0000000000930000-0x00000000011CB000-memory.dmp