laplas | b325afb572d93b6a5735b0cce16d58502dae4d230267e621dbfb638a851dc027

Analysis

max time kernel
52s
max time network
121s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12/01/2023, 07:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

B325AFB572D93B6A5735B0CCE16D58502DAE4D230267E.exe
Size

4.8MB
MD5

d794ced98cc854d40aea782d1b4d7d38
SHA1

c9661fdc1b6e153ca5580dde7268ff00c190662b
SHA256

b325afb572d93b6a5735b0cce16d58502dae4d230267e621dbfb638a851dc027
SHA512

d723a815317cf9635da127fc5222aaf660ea32fbfba1e93958f4a1fd54ba57b14967f3d0db1edc233e6ec56bec19725f15789329cbd8cd2980cb7d5287b5072c
SSDEEP

49152:UAMaCSGxtRJHK5V1m5gBaShRgpVMYhYzFvK94++mbtXTC60H96S5g+A:zMgGxtsV1m5gXOlYxvGb1+q+A

Score

10^/10

laplas stealer

Malware Config

Extracted

Family

laplas

clipper.guru

Attributes

api_key
55f26cb161471271cd1c6203986595abd019967860dd39d347cf86e5c307b363

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas

Executes dropped EXE 1 IoCs

pid	Process
268	svcupdater.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	taskeng.exe
1728	taskeng.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
316	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1460	1796	B325AFB572D93B6A5735B0CCE16D58502DAE4D230267E.exe	28
PID 1796 wrote to memory of 1460	1796	B325AFB572D93B6A5735B0CCE16D58502DAE4D230267E.exe	28
PID 1796 wrote to memory of 1460	1796	B325AFB572D93B6A5735B0CCE16D58502DAE4D230267E.exe	28
PID 1460 wrote to memory of 316	1460	cmd.exe	30
PID 1460 wrote to memory of 316	1460	cmd.exe	30
PID 1460 wrote to memory of 316	1460	cmd.exe	30
PID 1728 wrote to memory of 268	1728	taskeng.exe	32
PID 1728 wrote to memory of 268	1728	taskeng.exe	32
PID 1728 wrote to memory of 268	1728	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\B325AFB572D93B6A5735B0CCE16D58502DAE4D230267E.exe
"C:\Users\Admin\AppData\Local\Temp\B325AFB572D93B6A5735B0CCE16D58502DAE4D230267E.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\cmd.exe
  cmd.exe "/C schtasks /create /tn \hRNcCjLxdu /tr \"C:\Users\Admin\AppData\Roaming\hRNcCjLxdu\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \hRNcCjLxdu /tr \"C:\Users\Admin\AppData\Roaming\hRNcCjLxdu\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
    3⤵
    - Creates scheduled task(s)
    PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {B8F99BC9-C18A-4716-98CB-55F867E9B3BC} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\hRNcCjLxdu\svcupdater.exe
  C:\Users\Admin\AppData\Roaming\hRNcCjLxdu\svcupdater.exe
  2⤵
  - Executes dropped EXE
  PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hRNcCjLxdu\svcupdater.exe

Filesize
4.8MB

MD5
d794ced98cc854d40aea782d1b4d7d38

SHA1
c9661fdc1b6e153ca5580dde7268ff00c190662b

SHA256
b325afb572d93b6a5735b0cce16d58502dae4d230267e621dbfb638a851dc027

SHA512
d723a815317cf9635da127fc5222aaf660ea32fbfba1e93958f4a1fd54ba57b14967f3d0db1edc233e6ec56bec19725f15789329cbd8cd2980cb7d5287b5072c

Download Submit
C:\Users\Admin\AppData\Roaming\hRNcCjLxdu\svcupdater.exe

Filesize
4.8MB

MD5
d794ced98cc854d40aea782d1b4d7d38

SHA1
c9661fdc1b6e153ca5580dde7268ff00c190662b

SHA256
b325afb572d93b6a5735b0cce16d58502dae4d230267e621dbfb638a851dc027

SHA512
d723a815317cf9635da127fc5222aaf660ea32fbfba1e93958f4a1fd54ba57b14967f3d0db1edc233e6ec56bec19725f15789329cbd8cd2980cb7d5287b5072c

Download Submit
\Users\Admin\AppData\Roaming\hRNcCjLxdu\svcupdater.exe

Filesize
4.8MB

MD5
d794ced98cc854d40aea782d1b4d7d38

SHA1
c9661fdc1b6e153ca5580dde7268ff00c190662b

SHA256
b325afb572d93b6a5735b0cce16d58502dae4d230267e621dbfb638a851dc027

SHA512
d723a815317cf9635da127fc5222aaf660ea32fbfba1e93958f4a1fd54ba57b14967f3d0db1edc233e6ec56bec19725f15789329cbd8cd2980cb7d5287b5072c

Download Submit
\Users\Admin\AppData\Roaming\hRNcCjLxdu\svcupdater.exe

Filesize
4.8MB

MD5
d794ced98cc854d40aea782d1b4d7d38

SHA1
c9661fdc1b6e153ca5580dde7268ff00c190662b

SHA256
b325afb572d93b6a5735b0cce16d58502dae4d230267e621dbfb638a851dc027

SHA512
d723a815317cf9635da127fc5222aaf660ea32fbfba1e93958f4a1fd54ba57b14967f3d0db1edc233e6ec56bec19725f15789329cbd8cd2980cb7d5287b5072c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads