laplas | 83224bbf17e2eaad3e40aa076696d35daef0a126d7c7c8125920ff457b4de93d

General

Target

setup.exe
Size

1.9MB
MD5

27c3e0708804985d4f0758f873509805
SHA1

926ae820a61da9a6241ea94299edfcac963bcf78
SHA256

83224bbf17e2eaad3e40aa076696d35daef0a126d7c7c8125920ff457b4de93d
SHA512

bfca20c53257b54cbd8939bfa3023f3db10e796db0db5a3d445638d3ed73bf79d4510017f2e99470091fb20c615a82ee1d22962770ab053b94947f435aa69966
SSDEEP

49152:RQ7IJR3VJ9Ln5CI3o4U9ekXJkGB0qj5Bl+w:RZJR3VJ9VCAce45BD

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1076	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1724	setup.exe
1724	setup.exe
1076	ntlhost.exe
1076	ntlhost.exe
1076	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1076	1724	setup.exe	28
PID 1724 wrote to memory of 1076	1724	setup.exe	28
PID 1724 wrote to memory of 1076	1724	setup.exe	28
PID 1724 wrote to memory of 1076	1724	setup.exe	28
PID 1724 wrote to memory of 1076	1724	setup.exe	28
PID 1724 wrote to memory of 1076	1724	setup.exe	28
PID 1724 wrote to memory of 1076	1724	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
206.8MB

MD5
0352f286db2928ec7f6b41408b4709bc

SHA1
2493fe9eba2af5c3afa4842f849526a2c8533b7d

SHA256
e04929247e9be199d5f70620f730d247623c4bd45dd50cf60868d2db18384b52

SHA512
202e350dc665ea12249010b95a0cc012056bc1a5954c51a98168c3d60939aa33042bfa6fb104af8e1571aa64ce81ccc1087e72f6ce9403b0c599723c3663673a

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
208.1MB

MD5
b2824c5bb9dbe59bff6626ee26df74cb

SHA1
3f5ac543171a1988b985b21c2b1984fda7fc16cd

SHA256
f31802554dc14deba98a942314c6c2c249526c7c777c0c618437e4a61bd1395e

SHA512
620b74e603571fdc5ff5b5e64cbf42d6a4410278f2eeb4064261bf4a0b70e6b73d6b5d6008b2b06c68b72f9a49a1a4f9bca95decf7ff8c8cd1c67a7a65e70146

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
199.6MB

MD5
462934d6370f676f26b92c14f614b2b8

SHA1
56a9116d87f6e6b5b05a0fe02534d6852e65601f

SHA256
63f033a76a84c1bcb24c44a96f9e9e53b17f9097d077b61a0e1eddc701345bfc

SHA512
3a1abd65b698f4021f869d0deb08b1cf0ebb5fc9453a2d20346454296a21a74bffbd2bb690eca4884f34bddfcabb690e5831396bd71fc78d9d2aadeb298ef3cb

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
123.1MB

MD5
8ccb690dc4a28c868adbdaa9f8bf88c2

SHA1
2e90b089e5f1021fe002e77269ce9dbe0c6e1e7d

SHA256
b6c7913229cb4752b8a9574a9794eec6060c1c69142e97df4d993aa963a478b9

SHA512
19ae224b2ecf231a5dd5c816120c77815677ec3667282679dac4a7946d013ebe2021f96c71d218ecccb7932b60881b7e4acddde3f221429db80539c17e85017b

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
193.0MB

MD5
c0558e4f3261413c5348b3fd65a4374c

SHA1
19fac3c7d9b9e7d1b59f60e21dc35760669670e3

SHA256
b13380bf2bc3a6f8f67e135a450239aa828155bbf6ba07b3a84b01b4fac7f141

SHA512
79ef14e6666c0c1f55ac18904a28e666449b400fbf85559b0e916984ac6bbc1fc9e25743d7e9509e09adc3e95ea7585a8297e332fb6886e42cb267d7359ca8c8

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
208.2MB

MD5
95f778955b7d63108007f7831aa5168a

SHA1
6ff7e6143fd6214887d52f5ca0c8fbdf189dc6d8

SHA256
007a671b93fc01715466339f1e61db1cf40e01338b6a8771a3bde60f26b03482

SHA512
54d2be9d2a02544d3852e8c45fe780aacb38a6d27b580d28b3891f2f976d4fbfeeec2a289d1e49a3687e21b8be683716e9e33cc5ffdc8edc4a1a29f06595faa5

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
200.1MB

MD5
feef7773ddd120a8a195c5d41e024076

SHA1
fe17682e05ab7ea8e6aa0ff8e11a39c934948eeb

SHA256
7ddeffb8c0f74259afd72ca3997b1673fd5ed126c4dfc547ef0f41b80e708571

SHA512
7c3c6022aa7274b38250e272cafd2abb01fc98159cc16c7b6f867d04a2696fa45bdaa03726c3fc8744e06fea08cb12a3fb64e6fd223868166052fcf92dd2fb77

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
205.7MB

MD5
03778b0d04448e33ae0ac73050067b6c

SHA1
07b63c8a795ccbbd977c65ebfebe69c76a9ca805

SHA256
1c4906ddbbdad31e8a9a7a6336acbee02eaf6374b49ecd877bb781a4f9630ff4

SHA512
eb2a08e71b810d758967d35ee079d0c516492cd66339b8f788152b8a714d72dc66044506ff4282cdbab01b2885c74f74624df52de29bc0f99a6f600fba520686

Download Submit
memory/1076-70-0x0000000004B50000-0x0000000004F20000-memory.dmp

Filesize
3.8MB

Download
memory/1076-77-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-85-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-84-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-83-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-71-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-72-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-73-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-76-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-69-0x00000000049A0000-0x0000000004B4A000-memory.dmp

Filesize
1.7MB

Download
memory/1076-78-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-79-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-80-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-81-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1076-82-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1724-54-0x00000000046B0000-0x000000000485A000-memory.dmp

Filesize
1.7MB

Download
memory/1724-55-0x0000000004860000-0x0000000004C30000-memory.dmp

Filesize
3.8MB

Download
memory/1724-65-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing