Malware Analysis Report

2024-10-19 01:10

Sample ID 230801-1yb2wsce7z
Target 3258deefff3ca70f3dfa3e67067ca611.exe
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
Tags
laplas clipper persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c

Threat Level: Known bad

The file 3258deefff3ca70f3dfa3e67067ca611.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper persistence stealer

Laplas Clipper

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-01 22:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-01 22:03

Reported

2023-08-01 22:05

Platform

win7-20230712-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe

"C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 206.189.229.43:80 206.189.229.43 tcp

Files

memory/2104-53-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-54-0x0000000077480000-0x0000000077629000-memory.dmp

memory/2104-55-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-56-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-57-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-58-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-59-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-60-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-61-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-62-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-63-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-64-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-65-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-66-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-67-0x0000000077480000-0x0000000077629000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 d56b265b9b9d9cffc7dbb2b03abc25e7
SHA1 33b6d7b53f32a9cf573f02e5f9c2be3e71acc6db
SHA256 3fe1dea9ff1fcf9e686d10c0903c7839da6fa77f35700f8a64e8be9d87c5a3a2
SHA512 142ff17a31fefa4189da1960b35b2bd43e7e19302eaf6967b5a2281334673c86546df7576f46d9bca55e0d5ec63ba0f88e2058c8f1fe37da2e927409bfde5863

memory/2104-70-0x0000000028AE0000-0x0000000029423000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 5ba75ce6ecf569afb75c533738515f93
SHA1 fc0badd0d6d211522dc4d67cc3f1b6161e016b72
SHA256 0ad5512b6c0a5b66dc6c11336038aaa33daf47d0aad504413f64fcf74ef7159d
SHA512 5ef10532ab5343bfe597fa4e098f005e37ee49c2db821f8ee53cec3edfbda4226e5fb4bf838bee82350fc64126c2ec9c30c92ae15569d554055803626de31b1b

memory/2104-74-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-73-0x0000000000370000-0x0000000000CB3000-memory.dmp

memory/2104-75-0x0000000077480000-0x0000000077629000-memory.dmp

memory/2792-76-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-77-0x0000000077480000-0x0000000077629000-memory.dmp

memory/2792-78-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-79-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-80-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-81-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-82-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-83-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-84-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-85-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-86-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-87-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-88-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-89-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-90-0x0000000077480000-0x0000000077629000-memory.dmp

memory/2792-91-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-92-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-93-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-94-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-95-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-96-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-99-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-100-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-101-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-102-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-103-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-104-0x0000000000E60000-0x00000000017A3000-memory.dmp

memory/2792-105-0x0000000000E60000-0x00000000017A3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-01 22:03

Reported

2023-08-01 22:05

Platform

win10v2004-20230703-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe

"C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 206.189.229.43:80 206.189.229.43 tcp
US 8.8.8.8:53 43.229.189.206.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.157.241.8.in-addr.arpa udp

Files

memory/4988-133-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-134-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp

memory/4988-135-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-136-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-137-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-138-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-139-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-140-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-141-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-142-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-143-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-144-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-146-0x0000000000920000-0x0000000001263000-memory.dmp

memory/4988-148-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 87759c8f27ca9d3a5e37aecc1388bc49
SHA1 07c8f639fcdc180ae8bb56460119cb2efd6a4e13
SHA256 06f00ad51afc936be935d4f522a3cf10a9e4bc0f1d70aa5f0ab8ac520effc993
SHA512 f27989c280b65e2c4feb83a795383b296bb7cbe7d54311300349493b34dd9fb428cdb4b35b3dc14b33ecefbfe56583282f069440e5b3d36742be98d172430da8

memory/4988-151-0x0000000000920000-0x0000000001263000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 87759c8f27ca9d3a5e37aecc1388bc49
SHA1 07c8f639fcdc180ae8bb56460119cb2efd6a4e13
SHA256 06f00ad51afc936be935d4f522a3cf10a9e4bc0f1d70aa5f0ab8ac520effc993
SHA512 f27989c280b65e2c4feb83a795383b296bb7cbe7d54311300349493b34dd9fb428cdb4b35b3dc14b33ecefbfe56583282f069440e5b3d36742be98d172430da8

memory/3120-153-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/4988-154-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp

memory/3120-155-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-156-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp

memory/3120-157-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-158-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-159-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-160-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-161-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-162-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-163-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-164-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-165-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-166-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-167-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-168-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp

memory/3120-169-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-170-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-171-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-172-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-173-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-174-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-175-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-177-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-178-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-179-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-180-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-181-0x0000000000E50000-0x0000000001793000-memory.dmp

memory/3120-182-0x0000000000E50000-0x0000000001793000-memory.dmp