laplas | 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7

General

Target

d433fee70e60de32de4608f07bed7d2a.exe
Size

1.8MB
MD5

d433fee70e60de32de4608f07bed7d2a
SHA1

8b84224c8319705317340392ad99bc529183a7db
SHA256

0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512

ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8
SSDEEP

24576:OGjR/w861Jx8ShKAhJ8PwNIe19bcOPnRQBgOGq0CsBNkj2aoQ5icqh:pY1Jx5vmkxJPnR8GTJNBHt

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1188	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	d433fee70e60de32de4608f07bed7d2a.exe
1388	d433fee70e60de32de4608f07bed7d2a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	d433fee70e60de32de4608f07bed7d2a.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1188	1388	d433fee70e60de32de4608f07bed7d2a.exe	28
PID 1388 wrote to memory of 1188	1388	d433fee70e60de32de4608f07bed7d2a.exe	28
PID 1388 wrote to memory of 1188	1388	d433fee70e60de32de4608f07bed7d2a.exe	28
PID 1388 wrote to memory of 1188	1388	d433fee70e60de32de4608f07bed7d2a.exe	28

C:\Users\Admin\AppData\Local\Temp\d433fee70e60de32de4608f07bed7d2a.exe
"C:\Users\Admin\AppData\Local\Temp\d433fee70e60de32de4608f07bed7d2a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
565.8MB

MD5
bd794ebe1b44d6d2da6f9de36ecebd51

SHA1
0a1dfa7655db10ea07cd1e0eaba5b6e06e15bc40

SHA256
e8ed0cb9cf5e9a3b1663cb1b48ee45a1b3cbbb9301e46993083b82228e1b592d

SHA512
ae1becfc3bc02d1de3c6af39736b5e256f668a33f1255457fc4966776b8104b7161d8f518ffc7bea8fdcc1b768bb9295bc055bef4e2f288542504af6d587cb1a

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
548.2MB

MD5
d816c148cb8afcd27ac1dc5daa8a3d53

SHA1
edce56524ec0ad604e35c19e042dd0d4ce6d69a0

SHA256
35471ece83022b572fbfa9a5c18f0397e383018c50a7b23f386c4f97a9bd547d

SHA512
6b7b7a79229dd8b0c460f91015eb17e862684004436547d39066066b5ba46464d86e77a4f7d3ed2c5dbe9e8024ab3726a0d70d5f3efaad2e2ca7f93499c629d8

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
385.3MB

MD5
58a52558a829ce4945872c2b89c16bab

SHA1
f75e3797fe49322f086010b2e85ea2183b952456

SHA256
a3e9dec35a112e2f8b38a54f87147d643c47c0cb8c058bd37a49dbaa51c6c78d

SHA512
14e86228ad2b6311126083662aa2275f24406dd89d993ce7d85323aaa8b97953ed20120174868557c2dee3ae5d4ce57fb8cced051732127678c52c4ffbd587ce

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
568.8MB

MD5
d9722b121c2749054de7eb57773a16a2

SHA1
320f3193e2047cff52b89ccf07f0320ef854f5b9

SHA256
219dbd70ac2dea2b000d4fe3edb8c25f4303ac57dabbfdf788921dd5e03e47f7

SHA512
e9e247217c0e168d9f0f1492f9aaace0160926f016c9b5009e2117c4650c5473e81ab127761d83f62f835f964cf3c35e8c3c1d9350d6c9fb65e5071ec25ab3f3

Download Submit
memory/1188-68-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-73-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-80-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-65-0x0000000002060000-0x000000000220A000-memory.dmp

Filesize
1.7MB

Download
memory/1188-66-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-67-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-79-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-71-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-72-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-78-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-74-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-75-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-76-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1188-77-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1388-55-0x0000000002360000-0x0000000002730000-memory.dmp

Filesize
3.8MB

Download
memory/1388-54-0x00000000021B0000-0x000000000235A000-memory.dmp

Filesize
1.7MB

Download
memory/1388-64-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing