laplas | 8184da84f2c3efe78c83d045d75e998a5983ca1ec75f57fd6128c9165f236f68

General

Target

setup.exe
Size

1.8MB
MD5

f94d6eccab8832b99c98c5bc416e1af0
SHA1

a2072e964c557fbb322f93d554dade226561013d
SHA256

8184da84f2c3efe78c83d045d75e998a5983ca1ec75f57fd6128c9165f236f68
SHA512

61f6c4f1941ec018ae1c2deb7d6e31106130d683d4f06c985b6e3c92233b0303454218fc8351807e70c7bbc4123db4b47fe296153f8c4d87ed0bea17fb8f7079
SSDEEP

49152:8QiGcgi92aIH9Do1ZfWC4wmzu4iOM/Gx:jJKZfWKmzu4O/G

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
912	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1948	setup.exe
1948	setup.exe
912	ntlhost.exe
912	ntlhost.exe
912	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 912	1948	setup.exe	28
PID 1948 wrote to memory of 912	1948	setup.exe	28
PID 1948 wrote to memory of 912	1948	setup.exe	28
PID 1948 wrote to memory of 912	1948	setup.exe	28
PID 1948 wrote to memory of 912	1948	setup.exe	28
PID 1948 wrote to memory of 912	1948	setup.exe	28
PID 1948 wrote to memory of 912	1948	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
194.2MB

MD5
1c553cfbd3fdddfe74671c5780af708a

SHA1
d0e1fa2788b8e1e61cc8b285fa4a8160df34443a

SHA256
79a3125aa11cca9645097109e9ddf8ca6a522b49a8fcd4bce3cf90cdd0c775e5

SHA512
8bd03eb9949d1a39463eb153820bee023c39bfe2e31b963fb35b299eb313c418e98820e737ad322598a704e559fb9ce5b044d1e9b7d4058e201ac2aa54fc159c

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
243.0MB

MD5
6ede4c70936b0c65f5b987ca7fbcdae5

SHA1
2fce9f77d9303b9d60f9993d871dce258e2515e2

SHA256
a55fad50af6519918b3add1ba20a53f277f9d665a668e50e239e80b234ec0b5a

SHA512
fe6136483894c4b4d8b238b60692367f1722c7cf48170071a02d79e25b45026e38a5c7d2589b2552e46be49ac75cff2c71663c9e045ddcb8d8c6b63b1501b0da

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
255.1MB

MD5
e2adfb7e3bcdbf8baf888405b4b88697

SHA1
a2507540034da5650ae8fc7d20a1013b1f2364f0

SHA256
39180eb804eded16cf6db4361d7e9f2cc365de86276e79457078bc3b4050cc1d

SHA512
5dfe38cf078b6d9d0b6583f05264e17a814bb9a39e0519b782049a8048d17c15028aac16c67c1c4b7e4c0d034d3aaef3d8beb26c1770d0b112450bab225db019

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
153.9MB

MD5
7a50a89ef1102b77cb415f87c20e74f9

SHA1
55409413fc5451467d1888c4d5880f6e4ca1323c

SHA256
d2496b55c79d86253a57534faecd64fdb4496e219a8c1f75a5a33af2e43b60e6

SHA512
aca4a097a721a2246152f36747d10b3f1fa67ec84792a5fe326a0a4e93142d7b70377263b9139f7b70123d836360b2d0c76137e3ac2ea3064246c9a507bded84

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
283.3MB

MD5
1267a0ccd4fa6b94dc28b4b22375f756

SHA1
3ecc1817439f050053475b0128c6bfb58310430e

SHA256
6cd71bde18968e2696ca01d72723818343569d9d7baa0536426bc4a7019446ee

SHA512
80b2fb614b415b886e9b6ad30125558aea4f39b1e93ecb063ff07230d4f985321dabbe423c33f0b36a9e031082d21ef945c89554bac5ed54c5dc6acecd898525

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
285.5MB

MD5
4b30968a030b499aa911c3d5eeae77e0

SHA1
4eef6427b350a1cff07d960e6b33cac0ed1474cf

SHA256
6bef6720f2f4adf891d6e0bbea31d7273c385723236755519878daed7f2c54d4

SHA512
f49f079cb62ce492f17c73b47b8c59a8b6a1e4839de9f0adbbebce31813003cbfc51085f23a992c95a3e89276f6a3e24187e3abf39aad0b8ffb1e09a65ee49ad

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
275.1MB

MD5
3b8de136e1eea74c2c4f0409bdf393b9

SHA1
20cdde097eaf6875fc3d54ebf656c8d58899a41b

SHA256
a9199d5230f903adc40c53ac63cc993de62c8c7023380633fc1ea3d5bdb27679

SHA512
e26bc5dbf3b0279c066fb2bdc492ee522792329ea3cae61086fdb6ece500f99e2cc07e82aaff4cc34c2a400736005dd4a8d41ac9f52a295d60e9840ad44f6ff0

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
285.6MB

MD5
eac98cf2c36891e602716c93a6f59fb1

SHA1
c61a27fbb9deec67c2bc03aed9658c65b9116b2e

SHA256
bbfcd6d633e0a68900d8378231c08f4650210cad354f3979de6121c53d7db274

SHA512
89ea5fb36921e7a671fbbbfb0fbcf3fa82827f12364bd4c83bb3cafe2a8b14d51f68718ab4ea5bd91ed41b45b11a6591f7b19efc6c4bad5f73f61e605f583012

Download Submit
memory/912-75-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-78-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-82-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-69-0x00000000022D0000-0x000000000247A000-memory.dmp

Filesize
1.7MB

Download
memory/912-70-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-71-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-72-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-81-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-76-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-77-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-80-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/912-79-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-64-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-54-0x0000000002330000-0x00000000024DA000-memory.dmp

Filesize
1.7MB

Download
memory/1948-55-0x00000000024E0000-0x00000000028B0000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing