laplas | 414b33f7e5445ce67dbd9bf9ad85084d2b02762606ae8b5dfe37b4123154fc08

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14/03/2023, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

414b33f7e5445ce67dbd9bf9ad85084d2b02762606ae8b5dfe37b4123154fc08.exe
Size

1.9MB
MD5

fa89d4571f7073e7926843d8a16df438
SHA1

c6754b3313c44c255a062a5dd12aae32e19dbbba
SHA256

414b33f7e5445ce67dbd9bf9ad85084d2b02762606ae8b5dfe37b4123154fc08
SHA512

a2625101eef9864136841490473ee8acad14b3418b90bfc468561791ce603d916b35c24a379e3386f32e07047e2e6cfa79d66aef1b186e1b65aeb180a5bc8e3e
SSDEEP

49152:plVxrXOWGkryuAaDewDw/+d1q/oENauIsocOHBp:pl7DLDrKOea6LN7RWr

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1760	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	414b33f7e5445ce67dbd9bf9ad85084d2b02762606ae8b5dfe37b4123154fc08.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1760	1804	414b33f7e5445ce67dbd9bf9ad85084d2b02762606ae8b5dfe37b4123154fc08.exe	66
PID 1804 wrote to memory of 1760	1804	414b33f7e5445ce67dbd9bf9ad85084d2b02762606ae8b5dfe37b4123154fc08.exe	66
PID 1804 wrote to memory of 1760	1804	414b33f7e5445ce67dbd9bf9ad85084d2b02762606ae8b5dfe37b4123154fc08.exe	66

C:\Users\Admin\AppData\Local\Temp\414b33f7e5445ce67dbd9bf9ad85084d2b02762606ae8b5dfe37b4123154fc08.exe
"C:\Users\Admin\AppData\Local\Temp\414b33f7e5445ce67dbd9bf9ad85084d2b02762606ae8b5dfe37b4123154fc08.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
813.9MB

MD5
b47680ed43047984065bfe442448c52b

SHA1
9effb154cffdfb1e1a359bd6a3fc4f81c5252db9

SHA256
27d8ee1557bbfc65a418c7e8b42a2545487fec9cf5a07dff004baf2c748e269b

SHA512
7e6e1cea3ccf89b823a6602d39c6f2739c2df7d71d2f9ed4134ce4778ed9c80fc71f8e0ef5e0485fda78d7b19aff22ae864d213765ca33eaee0d02277086464d

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
813.9MB

MD5
b47680ed43047984065bfe442448c52b

SHA1
9effb154cffdfb1e1a359bd6a3fc4f81c5252db9

SHA256
27d8ee1557bbfc65a418c7e8b42a2545487fec9cf5a07dff004baf2c748e269b

SHA512
7e6e1cea3ccf89b823a6602d39c6f2739c2df7d71d2f9ed4134ce4778ed9c80fc71f8e0ef5e0485fda78d7b19aff22ae864d213765ca33eaee0d02277086464d

Download Submit
memory/1760-133-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-134-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-128-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-129-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-130-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-132-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-142-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-141-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-135-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-136-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-137-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-138-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-139-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1760-140-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1804-127-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1804-121-0x00000000028B0000-0x0000000002C80000-memory.dmp

Filesize
3.8MB

Download