laplas | 11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be

General

Target

11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
Size

10.5MB
MD5

d75c660c2584891aa2072643e345c941
SHA1

cc3ed51870ecd89963428c4d3638c8a99d0ea991
SHA256

11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be
SHA512

8a9ab5f164b7268ff56529c35bf97dccedff20f822e2a4daabc97e0af7cfd9f31593df440a337e6b9d84db60e5ed0be6f238545f367dada3012c54f4c61bd7d6
SSDEEP

196608:e+la0xOiukoEzn0quVFJ/ODw+lxihvwo:e+s0mDHVFo7Aw

Score

10^/10

laplas bootkit clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

C2

http://193.233.20.134

Attributes

api_key
57728dce0f7018e17faf9f061cb2d77048e08414376baf6d860b78e74e83c208

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
File opened for modification	\??\PhysicalDrive0	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4984	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
2340	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	58	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4984	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
4984	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
2340	ntlhost.exe
2340	ntlhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 2340	4984	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe	90
PID 4984 wrote to memory of 2340	4984	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe	90
PID 4984 wrote to memory of 2340	4984	11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe	90

C:\Users\Admin\AppData\Local\Temp\11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe
"C:\Users\Admin\AppData\Local\Temp\11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mntemp

Filesize
16B

MD5
8a2d9b289c19e05fd0379b82f2919a21

SHA1
97440fb16a4b8c0ede2d527141749aab76a7a252

SHA256
158fa2d1f60e6330072d181063c9b6d2c2c19fd92b5400f382f7d95bfaec1fec

SHA512
cd553fea1140ebb0231c1ecb618793e6a4746a35129bc7a7c96e066cd17edf0f1fec65ee483784add1c296b06637e4f0ddf1e13c6e9231ec54ee2fc458acd015

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
735.5MB

MD5
ca59accff7f7ca3c2d7bbadcdf73a2db

SHA1
8989e1050d8daf3d24c145b1b450a2766d3a86e8

SHA256
5a8cfcc91232b980303ba31f66d141a210ce4b480064470ee3f63e26d6c4f805

SHA512
de4ea68ce208a2e86f592977fc7592d74a19c349557fc52cf420d48445608e6654be631381a94afc2d55db079f44af6d9012dc7918c3fe8ab5988b6db2b9b16b

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
735.5MB

MD5
ca59accff7f7ca3c2d7bbadcdf73a2db

SHA1
8989e1050d8daf3d24c145b1b450a2766d3a86e8

SHA256
5a8cfcc91232b980303ba31f66d141a210ce4b480064470ee3f63e26d6c4f805

SHA512
de4ea68ce208a2e86f592977fc7592d74a19c349557fc52cf420d48445608e6654be631381a94afc2d55db079f44af6d9012dc7918c3fe8ab5988b6db2b9b16b

Download Submit
memory/2340-161-0x0000000000A30000-0x0000000001B57000-memory.dmp

Filesize
17.2MB

Download
memory/2340-157-0x0000000000A30000-0x0000000001B57000-memory.dmp

Filesize
17.2MB

Download
memory/2340-176-0x0000000000A30000-0x0000000001B57000-memory.dmp

Filesize
17.2MB

Download
memory/2340-175-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2340-174-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2340-173-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2340-167-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2340-163-0x0000000000A30000-0x0000000001B57000-memory.dmp

Filesize
17.2MB

Download
memory/2340-162-0x0000000000A30000-0x0000000001B57000-memory.dmp

Filesize
17.2MB

Download
memory/4984-148-0x0000000004520000-0x0000000004923000-memory.dmp

Filesize
4.0MB

Download
memory/4984-136-0x00000000007A0000-0x00000000018C7000-memory.dmp

Filesize
17.2MB

Download
memory/4984-135-0x00000000007A0000-0x00000000018C7000-memory.dmp

Filesize
17.2MB

Download
memory/4984-133-0x00000000007A0000-0x00000000018C7000-memory.dmp

Filesize
17.2MB

Download
memory/4984-152-0x0000000004520000-0x0000000004923000-memory.dmp

Filesize
4.0MB

Download
memory/4984-137-0x00000000007A0000-0x00000000018C7000-memory.dmp

Filesize
17.2MB

Download
memory/4984-150-0x00000000007A0000-0x00000000018C7000-memory.dmp

Filesize
17.2MB

Download
memory/4984-139-0x0000000004520000-0x0000000004923000-memory.dmp

Filesize
4.0MB

Download
memory/4984-147-0x0000000004520000-0x0000000004923000-memory.dmp

Filesize
4.0MB

Download
memory/4984-146-0x0000000004520000-0x0000000004923000-memory.dmp

Filesize
4.0MB

Download
memory/4984-145-0x0000000004520000-0x0000000004923000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads