Overview

overview

10

Static

static

3

e5cbc0114f...3c.exe

windows7-x64

10

e5cbc0114f...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2023 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5cbc0114ff238740e72e907ad20223c.exe

  • Size

    1.8MB

  • MD5

    e5cbc0114ff238740e72e907ad20223c

  • SHA1

    98c5d3c714adb3fbef71c19eaaa53cb680dd2d91

  • SHA256

    bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0

  • SHA512

    7049adad987de004b179198aa72910c9bc47f5f0095032cc44a9c409bc6337150b05a208e47919e276c74bbbb9bfa1bee6b58575b2176083e0210af6ce9c9b92

  • SSDEEP

    49152:bm/7cijxOPr17ocI5ut5TrCEJ5GtFRpr:bm/7cijcPr9ocI5K5NjGnL

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://clipper.guru

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://clipper.guru

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5cbc0114ff238740e72e907ad20223c.exe
    "C:\Users\Admin\AppData\Local\Temp\e5cbc0114ff238740e72e907ad20223c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    739.7MB

    MD5

    54b267b83292c75ac6490d481deaaadc

    SHA1

    205e3ff5d1a5d4dbb95c89ef427fe4aff74ccebb

    SHA256

    5e6bc07335ea7a54d9495c630c08edac8e3b9421a241b4d7c77efcdbc16b54db

    SHA512

    384033e82d64e1ebd808e99cd7073d4a72977267b4cc4bbc76290c5f72f2cdde32e11b9474f1ea6631fcacb95e2d54d605772e34f805d51ea4bfb00b0372c799

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    818.7MB

    MD5

    7a6dd2ce5759cfaeeed0da2d80d75375

    SHA1

    c0f0bf47446719db54550919ccd0045dd9f1f0a0

    SHA256

    2f0d20829e0a89e667489d05d5411964a04e129e270fcf65beb4e823d4a85aa6

    SHA512

    4bfca40ee23a5da135ba6a2e24681af0763aaf8104d1cd07bfeb66fa8118a94057e8cb95f3ae6591eb2c2b568c28f5cdaaad44dac970fdf1d090ed5acdc9e3f3

    Download Submit

  • memory/2960-151-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-148-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-152-0x0000000004110000-0x00000000042C5000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2960-153-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-164-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-163-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-162-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-161-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-147-0x0000000004110000-0x00000000042C5000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2960-158-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-149-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-150-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-165-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-160-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-159-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-155-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-156-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/2960-157-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/3032-144-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/3032-140-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/3032-139-0x0000000004260000-0x0000000004630000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3032-138-0x0000000004080000-0x0000000004236000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3032-135-0x0000000004260000-0x0000000004630000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3032-136-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/3032-141-0x0000000000400000-0x000000000247E000-memory.dmp

    Filesize

    32.5MB

    Download

  • memory/3032-134-0x0000000004080000-0x0000000004236000-memory.dmp

    Filesize

    1.7MB

    Download