laplas | fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08

Analysis

max time kernel
81s
max time network
299s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
26-11-2022 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
Size

5.4MB
MD5

610a076f83218b51b01a24e9c8eba3ae
SHA1

7956cbd49823b35362f2244a350078f066873e65
SHA256

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08
SHA512

bed36d4f8663e1c3e9b877367b64a2bf0ae95a86da0c02d74b29872137f370f8419359be2244e009039705f64d68eb9792dee7dd4ed1456bc54789c1ca82c707
SSDEEP

98304:InGmlwPwuBvk1wu8JZfB7QJYfUbNM9VlE/V3VydE18wkcUrL5iKroh9Q4QGn7MO:InGmlgwgM18JPvCIU3V/+rLr29QUMO

Score

10^/10

laplas stealer vmprotect

Malware Config

Extracted

Family

laplas

clipper.guru

Attributes

api_key
e967005093020788056c9d94da04435883edc18212f0de012679a229f024fdb6

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas
Executes dropped EXE 1 IoCs

Processes:

udakqMngIV.exe

pid process

1340 udakqMngIV.exe

pid	process
1340	udakqMngIV.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4748-126-0x00000000009A0000-0x0000000001573000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe	vmprotect
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe	vmprotect
behavioral2/memory/1340-184-0x0000000000D10000-0x00000000018E3000-memory.dmp	vmprotect

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2824 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 8 Go-http-client/1.1

pid	process
2824	schtasks.exe

description	flow	ioc
HTTP User-Agent header	8	Go-http-client/1.1

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.execmd.exe

description	pid	process	target process
PID 4748 wrote to memory of 4372	4748	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	cmd.exe
PID 4748 wrote to memory of 4372	4748	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	cmd.exe
PID 4748 wrote to memory of 4372	4748	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	cmd.exe
PID 4372 wrote to memory of 2824	4372	cmd.exe	schtasks.exe
PID 4372 wrote to memory of 2824	4372	cmd.exe	schtasks.exe
PID 4372 wrote to memory of 2824	4372	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
"C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:2824

C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
1⤵
- Executes dropped EXE
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe

Filesize
665.4MB

MD5
f0474feae9c54e5539ef6d36ce2f49e2

SHA1
247faffb5206dd1cb052dfa43bc0d243541496ba

SHA256
24cba3f64419a69eaa6e7831b2f34a410fe761e3324cc995f51fb41aaac73743

SHA512
30a22c138f53673729e279c3472b6527140651872103546440a8d2bcabbf5025ac3f837a2d7f0eb1d995468f589071c0a5ddaa76408fc0899a367b636f623768

Download Submit
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe

Filesize
665.4MB

MD5
f0474feae9c54e5539ef6d36ce2f49e2

SHA1
247faffb5206dd1cb052dfa43bc0d243541496ba

SHA256
24cba3f64419a69eaa6e7831b2f34a410fe761e3324cc995f51fb41aaac73743

SHA512
30a22c138f53673729e279c3472b6527140651872103546440a8d2bcabbf5025ac3f837a2d7f0eb1d995468f589071c0a5ddaa76408fc0899a367b636f623768

Download Submit
memory/1340-184-0x0000000000D10000-0x00000000018E3000-memory.dmp

Filesize
11.8MB

Download
memory/1340-182-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/1340-181-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/1340-180-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/1340-179-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/1340-178-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/1340-177-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-171-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-175-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-174-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-173-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-172-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-157-0x0000000000000000-mapping.dmp

Download
memory/2824-170-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-169-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-168-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-166-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-167-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-165-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-164-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-163-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-162-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-161-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-160-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-159-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-158-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4372-153-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4372-151-0x0000000000000000-mapping.dmp

Download
memory/4372-152-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4372-155-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4372-154-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4372-156-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-140-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-138-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-150-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-149-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-148-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-146-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-144-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-145-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-143-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-142-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-141-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-120-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-139-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-147-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-137-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-136-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-135-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-134-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-133-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-132-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-131-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-130-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-126-0x00000000009A0000-0x0000000001573000-memory.dmp

Filesize
11.8MB

Download
memory/4748-125-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-124-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-123-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-122-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-121-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download