Extracted

• • Target

    11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be

  • Size

    10.5MB

  • MD5

    d75c660c2584891aa2072643e345c941

  • SHA1

    cc3ed51870ecd89963428c4d3638c8a99d0ea991

  • SHA256

    11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be

  • SHA512

    8a9ab5f164b7268ff56529c35bf97dccedff20f822e2a4daabc97e0af7cfd9f31593df440a337e6b9d84db60e5ed0be6f238545f367dada3012c54f4c61bd7d6

  • SSDEEP

    196608:e+la0xOiukoEzn0quVFJ/ODw+lxihvwo:e+s0mDHVFo7Aw

  Score

  10^/10

  laplasbootkitclipperevasionpersistencestealertrojan

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1