laplas | fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08

Analysis

max time kernel
108s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
Size

5.4MB
MD5

610a076f83218b51b01a24e9c8eba3ae
SHA1

7956cbd49823b35362f2244a350078f066873e65
SHA256

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08
SHA512

bed36d4f8663e1c3e9b877367b64a2bf0ae95a86da0c02d74b29872137f370f8419359be2244e009039705f64d68eb9792dee7dd4ed1456bc54789c1ca82c707
SSDEEP

98304:InGmlwPwuBvk1wu8JZfB7QJYfUbNM9VlE/V3VydE18wkcUrL5iKroh9Q4QGn7MO:InGmlgwgM18JPvCIU3V/+rLr29QUMO

Score

10^/10

laplas clipper stealer vmprotect

Malware Config

Extracted

Family

laplas

clipper.guru

Attributes

api_key
e967005093020788056c9d94da04435883edc18212f0de012679a229f024fdb6

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
832	udakqMngIV.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/3788-132-0x0000000000F10000-0x0000000001AE3000-memory.dmp	vmprotect
behavioral1/files/0x0006000000022dad-138.dat	vmprotect
behavioral1/files/0x0006000000022dad-139.dat	vmprotect
behavioral1/memory/832-140-0x0000000000E00000-0x00000000019D3000-memory.dmp	vmprotect

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1212	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	95	Go-http-client/1.1

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 2644	3788	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	82
PID 3788 wrote to memory of 2644	3788	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	82
PID 3788 wrote to memory of 2644	3788	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	82
PID 2644 wrote to memory of 1212	2644	cmd.exe	84
PID 2644 wrote to memory of 1212	2644	cmd.exe	84
PID 2644 wrote to memory of 1212	2644	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
"C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:1212

C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
1⤵
- Executes dropped EXE
PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe

Filesize
667.6MB

MD5
9574dc11ffc70e1c87a982bc35cb2b31

SHA1
f1bf5f6ad5f710167b99d9c513a3da269e0d428f

SHA256
31bd1e5fec8a1a148efa4de885ecd0682d6623c4373e6b606bda0802bdc3aec9

SHA512
bde621e5bf744a964a877d4f05a4b857c02c1a02cf1243e8c0da7b1fc5c0601feaf9015231b917f22634c612069941db221642dc9187fdeb2239e8ecc78765b2

Download Submit
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe

Filesize
667.6MB

MD5
9574dc11ffc70e1c87a982bc35cb2b31

SHA1
f1bf5f6ad5f710167b99d9c513a3da269e0d428f

SHA256
31bd1e5fec8a1a148efa4de885ecd0682d6623c4373e6b606bda0802bdc3aec9

SHA512
bde621e5bf744a964a877d4f05a4b857c02c1a02cf1243e8c0da7b1fc5c0601feaf9015231b917f22634c612069941db221642dc9187fdeb2239e8ecc78765b2

Download Submit
memory/832-140-0x0000000000E00000-0x00000000019D3000-memory.dmp

Filesize
11.8MB

Download
memory/3788-132-0x0000000000F10000-0x0000000001AE3000-memory.dmp

Filesize
11.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads