laplas | a6a66627e3422140f5e1bb3eaca83d8b124c85734029b9ce216d5d33a35af69a

General

Target

setup.exe
Size

1.9MB
MD5

4ac3b05f28208a1c41831fd781327f12
SHA1

7660c9502daf62105414244e07b5e594874d45be
SHA256

a6a66627e3422140f5e1bb3eaca83d8b124c85734029b9ce216d5d33a35af69a
SHA512

ea03824f65e138a31180ec442f60e3de347e0e20fd91144eecd695c1c92caf42b576e24c8d5f96c18acdfdbdeb2aee392a95566b361c884a610c0fc0d8b66720
SSDEEP

49152:nVM1o+LRAoWrYMgxE407GpZl44dphdLVMh3/fYgnPfX09:nVM1okOoaYzxE40Kp44PfUjf

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1912	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
2020	setup.exe
2020	setup.exe
1912	ntlhost.exe
1912	ntlhost.exe
1912	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1912	2020	setup.exe	28
PID 2020 wrote to memory of 1912	2020	setup.exe	28
PID 2020 wrote to memory of 1912	2020	setup.exe	28
PID 2020 wrote to memory of 1912	2020	setup.exe	28
PID 2020 wrote to memory of 1912	2020	setup.exe	28
PID 2020 wrote to memory of 1912	2020	setup.exe	28
PID 2020 wrote to memory of 1912	2020	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
126.9MB

MD5
1a4fb7e56b233cade265fe58247ac2cc

SHA1
0b3304cbeb0f0b4410de195451eb7d095b23a374

SHA256
8b360ef8e5899866eb3e508694356411c0c19e6f4137d5db1d61dca9a373e800

SHA512
d63733d989f7d68814df3c29be3715e32756d059910751edf1a4939627093c3d2b320b6c16629dfdccdb180e6569be022f7924a686c26ec0228396f62b2b697d

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
132.6MB

MD5
8c8c75bbb92b21322ec16ed1bbae07af

SHA1
881d5229ede8ee0ed93ca3cdd98a752002593bac

SHA256
50b55b0b01c57d6445c9476e5ffa65ddd97f0011c7382e52296d1f490cefe11e

SHA512
779c8acc0c5962cc6dc8f325436110e9802e50ae2cd781945cc0b225b69ca8f7aec200edf919c59bc0b490ed680a4b0d5dce423c6b94ddc84b7be92e227ff8f6

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
205.1MB

MD5
aec4da397d4b330718eac245fb0f51b8

SHA1
6a579425a3a4a736a7a850982b433f081a56888e

SHA256
2232e44653efa6057d27adbb88d69cb349dfab586f773327c61b0d79b851e230

SHA512
bcb99291338599a7a5635ee22ee8802ab466e0f48545637d3a4df7c4ebb702fda70f03672cc1d2f922f5bbcd7f01aa63979cef105fd3f86386dd2e9f26b916ad

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
241.4MB

MD5
9ddb515ba0c571ca8e370b2b76e45864

SHA1
24df9efc32a5108b99e093e09b69f6aec25c0d38

SHA256
436b85a21e47f1e245d9b3ad5caf7462fb727f35fc2e672942f89c1fb05feed3

SHA512
62a0e2f0b7c08292a65491c6694d3eac4b91ebf56e58d1e170a03341892f654357846c51b3990dc56585a2b77e476c8e58efc44806b33c32f31be004890e57c6

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
133.3MB

MD5
af53b83f0df192b08c046b6c2e07b8b2

SHA1
f2e8189ae527216003038c636ca415848b24f828

SHA256
c66e4aa03e1c42d03dab29413b40ffa04652218885ddae8fb9e209c8e8b85c2e

SHA512
6017f902bf3134fbca8b312dda130795431b1a9303ee1f35ae8bd6c182dced3db298a2b55b4dee64f96bba8bd706e170e47d98331b4f46126a421d0166882c4c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
243.5MB

MD5
cf12f86d26cd163944a94e753c54f2f5

SHA1
0d30509bc5772b791baa0ff5b4f9d09f87c13902

SHA256
c113c699a7dcd12ab746a93273b3fd4769dc2cd12c1b341745723674b6961bab

SHA512
ab6ab5b350171064ec50e18cc1f42996927f68fad42cf20ade3f958c65563b3149cb258271c88fd5827cdeb100312e7599754b28d4ec887969198d04e3cdc2e9

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
245.1MB

MD5
b50bb5a0a0ef9413db97c40b3ae271e8

SHA1
c08460821263b85062fda221eff3c49d715292dd

SHA256
c0acc2861582c5aeed5c5c08e7a341e0e5f3975d8fe1924bb288753f66fd0da8

SHA512
55b098bed591655aa9483e2a0b82113153eb85b221cee8b35fc84218ff8ce7659457fe38d3099c105225fbe3c2ca79f051778b5c7075a3fc257aec5f834d10c1

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
232.6MB

MD5
9bb4ec36064055fd6cd9525885e03351

SHA1
7bcd0773597ea8839eb41e194d0b702346f04e6d

SHA256
09d65b13ef25e6be7f614e8edf89d87cdd239d2d01c17e9c6d8b0da94d9322ae

SHA512
73bbf41ea29cfc59253e9ea6107559a06bc907b33bcfe0861ea03e4933d5285fe29217580628acc43ef54bfa9688e411ac8f7704169c12321211079b898fdbbb

Download Submit
memory/1912-71-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-78-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-85-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-84-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-83-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-72-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-73-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-76-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-77-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-69-0x0000000004850000-0x00000000049FA000-memory.dmp

Filesize
1.7MB

Download
memory/1912-79-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-80-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-81-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1912-82-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2020-54-0x0000000004680000-0x000000000482A000-memory.dmp

Filesize
1.7MB

Download
memory/2020-64-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2020-55-0x0000000004890000-0x0000000004C60000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing