laplas | 8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

Resubmissions

24-11-2022 16:33

221124-t22ndsaf9t 10

02-11-2022 14:52

221102-r8qhlacbgq 8

Analysis

max time kernel
205s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6738634d9b3bfcf7ebca8be48c091b3e.exe
Size

4.8MB
MD5

6738634d9b3bfcf7ebca8be48c091b3e
SHA1

f08091a4b3f5c167bcdfa565584bed8ed2a69f0c
SHA256

8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27
SHA512

c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5
SSDEEP

49152:cAMzHHGxBRJHrcFFmJAhaShRgxuMY8qa9vjTIt0IEqYjla27/BS5g+A:bMjGxBQFFmJA3Foq+vOEdZZ+A

Score

10^/10

laplas stealer

Malware Config

Extracted

Family

laplas

clipper.guru

Attributes

api_key
0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas

Executes dropped EXE 1 IoCs

pid	Process
4012	svcupdater.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4352	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	94	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 3768	3304	6738634d9b3bfcf7ebca8be48c091b3e.exe	82
PID 3304 wrote to memory of 3768	3304	6738634d9b3bfcf7ebca8be48c091b3e.exe	82
PID 3768 wrote to memory of 4352	3768	cmd.exe	84
PID 3768 wrote to memory of 4352	3768	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\6738634d9b3bfcf7ebca8be48c091b3e.exe
"C:\Users\Admin\AppData\Local\Temp\6738634d9b3bfcf7ebca8be48c091b3e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\system32\cmd.exe
  cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
    3⤵
    - Creates scheduled task(s)
    PID:4352

C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
1⤵
- Executes dropped EXE
PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe

Filesize
4.8MB

MD5
6738634d9b3bfcf7ebca8be48c091b3e

SHA1
f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

SHA256
8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

SHA512
c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

Download Submit
C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe

Filesize
4.8MB

MD5
6738634d9b3bfcf7ebca8be48c091b3e

SHA1
f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

SHA256
8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

SHA512
c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads