laplas | 5bc89ac527b9326cfe4e3c88c2271084330cb58fcdbe91da7aab3b2eb49c9d57

General

Target

8d84e57656a59231cb00e35857f52f5a.exe
Size

1.9MB
MD5

8d84e57656a59231cb00e35857f52f5a
SHA1

6f2c858adeb1d8c488e2885688982eb8c9798e6f
SHA256

5bc89ac527b9326cfe4e3c88c2271084330cb58fcdbe91da7aab3b2eb49c9d57
SHA512

7defc51e96af47b849c06534faa0cd5959dd871c61e6b894ee9ceefa9a52925f3a8b35e562c3cf811eb71d727e579cb130d3a332ed5e73ef7c64a48a6125bac9
SSDEEP

24576:Tj72QEHHAU0XTLnkXsdC4eZ9jAOXOSs3UUp9KL+koeAPdk5OQpo6w0LFi:iQEAlkXuCVjAOXO6iKL+kojQvu6

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1308	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	8d84e57656a59231cb00e35857f52f5a.exe
1728	8d84e57656a59231cb00e35857f52f5a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	8d84e57656a59231cb00e35857f52f5a.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1308	1728	8d84e57656a59231cb00e35857f52f5a.exe	28
PID 1728 wrote to memory of 1308	1728	8d84e57656a59231cb00e35857f52f5a.exe	28
PID 1728 wrote to memory of 1308	1728	8d84e57656a59231cb00e35857f52f5a.exe	28
PID 1728 wrote to memory of 1308	1728	8d84e57656a59231cb00e35857f52f5a.exe	28

C:\Users\Admin\AppData\Local\Temp\8d84e57656a59231cb00e35857f52f5a.exe
"C:\Users\Admin\AppData\Local\Temp\8d84e57656a59231cb00e35857f52f5a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
479.6MB

MD5
3673ddf9a5ef711b1eb17b74bc45214e

SHA1
125b8990286a661d6f4c72a34a663fbf6979d46a

SHA256
290fa748eee976bb19c68d8ddcc7de68342107efbad42fc53e3cd3d10e1fed62

SHA512
02b1165f65e27879d38e293204d5a33453597693c1339e482fe2bfd75f02b4977946cde3e35b00b5b645527af0a8a307631dfd5f71a819c84e0d667a7b27a782

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
488.6MB

MD5
109f1d54987ef5575a48ff991f73bc3a

SHA1
104af7407a375c3ce4c4f1ead5e18b57661c907a

SHA256
c74871ab638a950e8d7c88fdc08f6cdfa2f693d6e334f035bbce18d421829706

SHA512
91705dd190f6ee189c2d1cd2480f2ecb2c7b606b4a23a95f4fa3ed86d1a23401e28b4d38dd4366a2cc61ff8d6557e741906ffa543c16831494cb6886a3306ba1

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
273.1MB

MD5
b80f18550a741729ebe34ddd9baaea02

SHA1
1418c0d1b92a5cdf230f36f0ebb607f817421159

SHA256
7d2e88726d2680ba81d07cb16e61ae328d5830e99ed33a58f81992f1769c6fd3

SHA512
b3b5b0013a95310f7e114913554166093fedddedba85a76994e387e3402a9ebd925e78a09e676ad83ec4327bba3065d8e49dddf584dcf63ba4f8866ddb23b8a1

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
477.5MB

MD5
2e83d846d0a6f4d2410fdffb897f6264

SHA1
ec52f48a6381bb6c9de0f21047f815a7d2db1a80

SHA256
90ad77fd5b5da8aa99d61e921ed6850036ff0042d12df7d9daaa679973a2d26e

SHA512
9ff1b24cb5390286097c38b33309ca654efd12ad8b7b326087012e37ac5d902847390cd75735254d9b393d3f11c37420ac667031b80c1806ab3717334f02b38c

Download Submit
memory/1308-75-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-71-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-65-0x0000000004640000-0x00000000047EA000-memory.dmp

Filesize
1.7MB

Download
memory/1308-80-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-66-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-67-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-68-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-69-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-70-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-79-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-74-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-78-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-76-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1308-77-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1728-54-0x00000000046F0000-0x000000000489A000-memory.dmp

Filesize
1.7MB

Download
memory/1728-63-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/1728-55-0x00000000048C0000-0x0000000004C90000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing