laplas | cbd52e865efdcce13184bb8594a5016cc973b2f30e880fc620c60dc0b5986e1c

General

Target

setup.exe
Size

1.9MB
MD5

a13a518eeb299eb35ef4dab64ca36dfc
SHA1

f70ed33a0ae431538d248186c102588d0a655544
SHA256

cbd52e865efdcce13184bb8594a5016cc973b2f30e880fc620c60dc0b5986e1c
SHA512

34508043fa6f682396bef2b8638aa382a8eab294042b1ca02071abc9bf3518b866b89538373a2ca2b002e209b72ccd3cbe7c9e86ab4b97edd2a9a448288d877c
SSDEEP

49152:+1iXbsGhvUq/AaqDQfM5jx9H2VatXYUq:+AXbfABsU5lrXYU

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1712	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1480	setup.exe
1480	setup.exe
1712	ntlhost.exe
1712	ntlhost.exe
1712	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 3 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1
HTTP User-Agent header	3	Go-http-client/1.1
HTTP User-Agent header	4	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1712	1480	setup.exe	28
PID 1480 wrote to memory of 1712	1480	setup.exe	28
PID 1480 wrote to memory of 1712	1480	setup.exe	28
PID 1480 wrote to memory of 1712	1480	setup.exe	28
PID 1480 wrote to memory of 1712	1480	setup.exe	28
PID 1480 wrote to memory of 1712	1480	setup.exe	28
PID 1480 wrote to memory of 1712	1480	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
244.4MB

MD5
aa94718f9674b7ebee9c49de49c2d9a6

SHA1
c027eb2b947776dcaa33b268961546e536ba1429

SHA256
e4aaa8f898d6420588b27da1aab0b55eb9f60a9c3f184dd41a505492f105f51c

SHA512
fef658e2e155619963f2600e7402b76fa203916b33782f2ceae526c776d01fc2bd9cbcb67f7bbece2c344dfec23fd30cf21fae4922107c61a40dea1af5f60761

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
251.0MB

MD5
672dad54380c12e4aabb1ddf1f2d0143

SHA1
341cf76099a97cfbfcedfdef6b61b3a1785d2f09

SHA256
6cd2bb4abb504367958aa6f8b756dc2c840c84fe06cba2505d27eea9ace29a1b

SHA512
1dcbb1f685949fc45b2adea20775723aae454a0088db4e042b151dd9a93be8e09fd4ebe543d4877f33dd0d39865653df642ef55f14c177221db2e08d37d16e94

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
239.4MB

MD5
1c059e7e74dcb303a2de1098521fb2d2

SHA1
f1ac8726bb0833abe311e183198bff1e037471bf

SHA256
2c26d7c602a84d4821e5253a30ea401fd34164e7a8a1029705abdcc3b2afab49

SHA512
f6e06c6a534e2dd35b086f3c19cf7c270b434a2a015ebe36949275d3821a865e3270deee49260f43fbbd9ab1e564fa2ffa0485bac1cc0f3efa3564921c1bb1e9

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
126.4MB

MD5
e34fc52ce017d8472e5ce24d4d3e22a7

SHA1
45734648298aab1743fb3ef89e46bf82709d48f3

SHA256
c9fed114b0ee4b238fb71d76a1962b18fbe62d9369e6dcd216fb63880449f09f

SHA512
6b7773074054bd919da06ec706f7262281865327f294311d9d06bf0a301348388652311c97ad0e815f24288fd0c9837276c3e5121cd5bc7f8e0913958595d56e

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
136.7MB

MD5
03beae7754e54613c278cfb0bd0c44e1

SHA1
0e9f812da4d785c12c4e75b1c26e1bf818168984

SHA256
f38ac7f6c6483b95c800608a0681e736175e031e03326f6f3b89988ccdeef631

SHA512
6aa35c39be8726ed9e49d4ccec051fc179a469031e01abd850b8fb05f2f5eec6d933c46d3229c85b700376163a514ec7c727c03c824ec6d19678e3e6f1544b59

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
248.6MB

MD5
c507fe9d95132d32df5e48c6f5634e2b

SHA1
b06465ca1e4c59cd96ba458d047ebf85b7c19b63

SHA256
f2f2c21dc21b691583d951515c194ee8188d6e4dccfaa1d78dddc03dd6b312e6

SHA512
61202c51c8f4e2613c0663437cc02659b9c31d25530733602292117bc151175f985c83f7e70d8cf6f33fb2c73a4e9ebd3293592859fc9671fcd815811540913c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
248.1MB

MD5
3b0226ad0cae1729c7a9ef1f978e5749

SHA1
133ce6c44c77ba27fd49bf2ede86c3f5e3f9c32d

SHA256
d09d1c188b65f52b8e36e5d963cfff7c7ddaeaf73f9301b9fbf4df281645307f

SHA512
7edde4d28cd3f852f2bac0d45f7569b5f54a876487c5c96bb3390f78b8029151bf71a3dbb6a814d4d42637dcc79a6f07e25de99cbc2ca9dca30722c44131f587

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
249.9MB

MD5
1204db306301f5dc7fd9801644dbe4cf

SHA1
a5cb203b1d8b260b2fe1e15e0a6c467e98b2a560

SHA256
f9da20c65db86f423d4cc84bd4cf97a16a7ae8c1c309a79afbf30791f140da72

SHA512
e5c6206d5eecaf4e172a7dc08f176730e277d5721bcc3663655ce42a81b4cfc5a57b9d90338d0d25ec93a07f3bb98d3f278d37a4c9b6ffa7d44f4e882266d160

Download Submit
memory/1480-65-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1480-55-0x00000000048B0000-0x0000000004C80000-memory.dmp

Filesize
3.8MB

Download
memory/1480-54-0x0000000004700000-0x00000000048AA000-memory.dmp

Filesize
1.7MB

Download
memory/1712-70-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-78-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-71-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-72-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-75-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-76-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-77-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-69-0x00000000046F0000-0x000000000489A000-memory.dmp

Filesize
1.7MB

Download
memory/1712-79-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-80-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-81-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-82-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-83-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1712-84-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing