laplas | 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d433fee70e60de32de4608f07bed7d2a.exe
Size

1.8MB
MD5

d433fee70e60de32de4608f07bed7d2a
SHA1

8b84224c8319705317340392ad99bc529183a7db
SHA256

0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512

ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8
SSDEEP

24576:OGjR/w861Jx8ShKAhJ8PwNIe19bcOPnRQBgOGq0CsBNkj2aoQ5icqh:pY1Jx5vmkxJPnR8GTJNBHt

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
3260	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	d433fee70e60de32de4608f07bed7d2a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3852	4872	WerFault.exe	85

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	30	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 3260	4872	d433fee70e60de32de4608f07bed7d2a.exe	89
PID 4872 wrote to memory of 3260	4872	d433fee70e60de32de4608f07bed7d2a.exe	89
PID 4872 wrote to memory of 3260	4872	d433fee70e60de32de4608f07bed7d2a.exe	89

C:\Users\Admin\AppData\Local\Temp\d433fee70e60de32de4608f07bed7d2a.exe
"C:\Users\Admin\AppData\Local\Temp\d433fee70e60de32de4608f07bed7d2a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 476
  2⤵
  - Program crash
  PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4872 -ip 4872
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
831.8MB

MD5
af8b5347bd695871e4940bb9f4cb09e7

SHA1
9f89fcf9ab52adc9d2e609d3a7e52a7682f07a29

SHA256
e0242366b06970febb23cecf1b69104a0f3b42f27c156dcdb9494b25e2a8ca55

SHA512
938892958ee20ca9d825ff5d583a2ecf3bc68b57dbd604a9fe9f84d91985fddd7f4003e4403d3c3bf6d955186d5f2b06a225630aafa30f362007fd6e25410da7

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
831.8MB

MD5
af8b5347bd695871e4940bb9f4cb09e7

SHA1
9f89fcf9ab52adc9d2e609d3a7e52a7682f07a29

SHA256
e0242366b06970febb23cecf1b69104a0f3b42f27c156dcdb9494b25e2a8ca55

SHA512
938892958ee20ca9d825ff5d583a2ecf3bc68b57dbd604a9fe9f84d91985fddd7f4003e4403d3c3bf6d955186d5f2b06a225630aafa30f362007fd6e25410da7

Download Submit
memory/3260-150-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-147-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-155-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-142-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-143-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-144-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-146-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-154-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-148-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-149-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-153-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-151-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3260-152-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4872-134-0x00000000028B0000-0x0000000002C80000-memory.dmp

Filesize
3.8MB

Download
memory/4872-136-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4872-140-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download