laplas | fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08

Analysis

max time kernel
301s
max time network
310s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-11-2022 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
Size

5.4MB
MD5

610a076f83218b51b01a24e9c8eba3ae
SHA1

7956cbd49823b35362f2244a350078f066873e65
SHA256

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08
SHA512

bed36d4f8663e1c3e9b877367b64a2bf0ae95a86da0c02d74b29872137f370f8419359be2244e009039705f64d68eb9792dee7dd4ed1456bc54789c1ca82c707
SSDEEP

98304:InGmlwPwuBvk1wu8JZfB7QJYfUbNM9VlE/V3VydE18wkcUrL5iKroh9Q4QGn7MO:InGmlgwgM18JPvCIU3V/+rLr29QUMO

Score

10^/10

laplas stealer vmprotect

Malware Config

Extracted

Family

laplas

clipper.guru

Attributes

api_key
e967005093020788056c9d94da04435883edc18212f0de012679a229f024fdb6

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas

Executes dropped EXE 1 IoCs

pid	Process
4272	udakqMngIV.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4208-122-0x0000000000110000-0x0000000000CE3000-memory.dmp	vmprotect
behavioral2/files/0x000600000001ac21-172.dat	vmprotect
behavioral2/files/0x000600000001ac21-179.dat	vmprotect
behavioral2/memory/4272-180-0x0000000000EB0000-0x0000000001A83000-memory.dmp	vmprotect

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2624	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	11	Go-http-client/1.1

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 440	4208	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	66
PID 4208 wrote to memory of 440	4208	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	66
PID 4208 wrote to memory of 440	4208	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	66
PID 440 wrote to memory of 2624	440	cmd.exe	68
PID 440 wrote to memory of 2624	440	cmd.exe	68
PID 440 wrote to memory of 2624	440	cmd.exe	68

C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
"C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:2624

C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
1⤵
- Executes dropped EXE
PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe

Filesize
744.7MB

MD5
585e09661a0733689fbd7f9da2679b48

SHA1
b1b33f47c58c144d7b0f9931718bc05f77a56962

SHA256
18e040ddf8deadfbd11a7a639c82b1fbe6408d6d17884dbbe47f0302510cfb01

SHA512
cee74e3d6dc5312164ba9558f73744767d3a6e28cb690da31c50ed24dd0a3c5f25e291709413ec8ee989cdbe703f22c17f85b62b4801e3fb800f47b187a2ff09

Download Submit
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe

Filesize
744.7MB

MD5
585e09661a0733689fbd7f9da2679b48

SHA1
b1b33f47c58c144d7b0f9931718bc05f77a56962

SHA256
18e040ddf8deadfbd11a7a639c82b1fbe6408d6d17884dbbe47f0302510cfb01

SHA512
cee74e3d6dc5312164ba9558f73744767d3a6e28cb690da31c50ed24dd0a3c5f25e291709413ec8ee989cdbe703f22c17f85b62b4801e3fb800f47b187a2ff09

Download Submit
memory/440-152-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/440-151-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/440-150-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/440-149-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/440-148-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-165-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-166-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-171-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-170-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-169-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-168-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-167-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-164-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-163-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-162-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-161-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-160-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-159-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-158-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-157-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-156-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-155-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2624-154-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-136-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-122-0x0000000000110000-0x0000000000CE3000-memory.dmp

Filesize
11.8MB

Download
memory/4208-126-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-135-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-121-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-116-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-119-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-145-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-144-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-143-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-142-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-141-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-140-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-139-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-138-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-137-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-117-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-127-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-120-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-134-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-133-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-128-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-132-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-131-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-130-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-129-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-118-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-146-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4272-174-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4272-175-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4272-176-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4272-177-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4272-178-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4272-173-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4272-180-0x0000000000EB0000-0x0000000001A83000-memory.dmp

Filesize
11.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads