laplas | a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951

Analysis

max time kernel
148s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17-03-2023 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe
Size

1.9MB
MD5

bffa52b5cf6599656807cd59666821d4
SHA1

a5b4f03c320488e0c616c7070166c3eccfe235c3
SHA256

a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951
SHA512

6cc12e483dfb8e6680621fc5536158211c26ab82191db935731c3667a3c44c135edb34ec10809bb4a1ec8007eac8f2af424e130d8810ed34370ef9b9a9fa94c8
SSDEEP

49152:AtsFLm7INZOOBfPcdTG9I83aewdjxB0n+2Jlzwz0:At2LmCOOBfEdTXiwd0n++lR

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2016	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2016	1604	a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe	66
PID 1604 wrote to memory of 2016	1604	a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe	66
PID 1604 wrote to memory of 2016	1604	a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe	66

C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe
"C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
623.0MB

MD5
07401a9e721605db5a17d00d9bf58e2a

SHA1
dbdb00f88bfff661e6ca754c55ad7068ccf93fd2

SHA256
b336e61f13b2b7488801e369065e681270a86b4834220e96a9061a8b78359d7a

SHA512
97a44772d753f31a3fd96539d6fbbe37f7733e18c1e664c8b74d72982535141c544fb672cd86548b2696c1315ef3643d99fb692b6bd85b1fe735317d4ff9adf1

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
700.8MB

MD5
22ab87ce33d709bc1320ebe30363ebbe

SHA1
36fb0b5006dce17ed5eda305fdd796ee49c61d6b

SHA256
8eff538637551ad45a67a2230e33636fce248d0badf9df0b0cfba00fe0c52dc6

SHA512
737a591930a33e9a2078f33b0bd3adb0c0a9ef877eebfe13093a074acfe7d474b1f6e541cabaca867b031d79979f86674ae47f70575a815b168e56a54de6afea

Download Submit
memory/1604-122-0x0000000004B50000-0x0000000004F20000-memory.dmp

Filesize
3.8MB

Download
memory/1604-128-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-134-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-137-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-131-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-133-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-129-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-135-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-136-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-130-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-138-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-139-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-140-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-141-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-142-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/2016-143-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download