laplas | 34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3

General

Target

34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe
Size

296KB
MD5

134d8a47c6f8fa3d99b60ce9e4faff2d
SHA1

9d102bfa660683be4d56e86eaca1050ceb2a42c0
SHA256

34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3
SHA512

01d61b5e070502ccd55ad6f1b8f61771555fc288f888bc3bf4acf5db42cb3213bae4587a9dd19ae0364680492f8ccf826f6009dd969ec477157cbb027f4226e2
SSDEEP

6144:Gg1LJLpZH0ua7uqaLNeaqPYMDQ4BTfOieY:Gg19LpZVqeNVS3DQL

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3912	DHIJEHJDHJ.exe
3096	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe
1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	DHIJEHJDHJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1808	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	7	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe
1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4292	1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe	66
PID 1724 wrote to memory of 4292	1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe	66
PID 1724 wrote to memory of 4292	1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe	66
PID 1724 wrote to memory of 4260	1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe	68
PID 1724 wrote to memory of 4260	1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe	68
PID 1724 wrote to memory of 4260	1724	34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe	68
PID 4260 wrote to memory of 1808	4260	cmd.exe	70
PID 4260 wrote to memory of 1808	4260	cmd.exe	70
PID 4260 wrote to memory of 1808	4260	cmd.exe	70
PID 4292 wrote to memory of 3912	4292	cmd.exe	71
PID 4292 wrote to memory of 3912	4292	cmd.exe	71
PID 4292 wrote to memory of 3912	4292	cmd.exe	71
PID 3912 wrote to memory of 3096	3912	DHIJEHJDHJ.exe	72
PID 3912 wrote to memory of 3096	3912	DHIJEHJDHJ.exe	72
PID 3912 wrote to memory of 3096	3912	DHIJEHJDHJ.exe	72

C:\Users\Admin\AppData\Local\Temp\34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe
"C:\Users\Admin\AppData\Local\Temp\34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe
    "C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:3096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe

Filesize
1.8MB

MD5
d433fee70e60de32de4608f07bed7d2a

SHA1
8b84224c8319705317340392ad99bc529183a7db

SHA256
0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7

SHA512
ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe

Filesize
1.8MB

MD5
d433fee70e60de32de4608f07bed7d2a

SHA1
8b84224c8319705317340392ad99bc529183a7db

SHA256
0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7

SHA512
ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
623.9MB

MD5
b15bcd49c67c6937f7f3162e2e73754f

SHA1
f96f2116f0674b6861851413b1608e8ba2fb7ce1

SHA256
332dc42298845bb9bcd2e35e23b4bb127af9729bfd783b5066f750816609a950

SHA512
12cd6c6e0b4fc6cd4bbdc2b6a2053391651338f6d6137e66d41d6101fcf709321e6711d85ea060608aa6925b7c3aa19023942d0405e3d1975030b9b43662fc30

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
655.4MB

MD5
e1a31b48bae889a3218d9a92afa8f5d5

SHA1
d02e673e834b5f0839869c699ab116cbe44b5373

SHA256
b1b3f0ae07ba9fcdb66e5874ad1283470969852c92ea30fcbca86c3be7969d8a

SHA512
80c4f2877d138d2c457f6b04e071c892e14aa1f2fbb101986a1182b42298cd68e49c9808f0d15e1c7cdbcc18212f6bb85ad062c2205dd47105b0704ac693acea

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
643.1MB

MD5
18e65b0327521807f8b4a805ad004a2d

SHA1
8ee09ff4eed40b6fa030158faecf6aa9a716ab68

SHA256
2e670c021e42a7107fde44b97ff97263c3b9457c4a608ba889c08131602a4a3b

SHA512
54372db03ce532cf92a9237037ae120feb81677a593f36bc335a55de58103f0860877b9f5f4b7902397e58ae1eb44b506f8cadc94be053859a3711d3d0d698bb

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/1724-123-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1724-188-0x0000000000400000-0x0000000002AFA000-memory.dmp

Filesize
39.0MB

Download
memory/1724-192-0x0000000000400000-0x0000000002AFA000-memory.dmp

Filesize
39.0MB

Download
memory/1724-122-0x0000000002C60000-0x0000000002C75000-memory.dmp

Filesize
84KB

Download
memory/3096-208-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-209-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-204-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-205-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-206-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-207-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-216-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-215-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-211-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-212-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-213-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3096-214-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3912-202-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3912-197-0x0000000002660000-0x0000000002A30000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing