Overview

overview

10

Static

static

1

lap.exe

windows7-x64

10

lap.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2023 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lap.exe

  • Size

    1.9MB

  • MD5

    3c491cde84daac60101335966f900fbd

  • SHA1

    864776f60349bd90f2ae409286d3401e4ec9b63c

  • SHA256

    f82abb756b52669b2dc6911e2d84189018887416fbcf090f8ce32dc7c55a6fb7

  • SHA512

    72f8c94c990bc04f9e48b7124c44b16b617eb02d0fbc11875fe62d01e8da336f4f11e93ca1bae9918a01767174a7232eabed2132c8124ef807ffed964de42f1e

  • SSDEEP

    24576:mf8Wd/isEwOuPdRIsUG5uttp+CUbs0VhKF8gcC8h+WPzJezRevpepQ/nT0WDdOp:4FiTwO8HIsUG8tp+C8jth+IezeqeZO

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lap.exe
    "C:\Users\Admin\AppData\Local\Temp\lap.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:4368
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 428
      2⤵
      • Program crash
      PID:4748
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2244 -ip 2244
    1⤵
      PID:4056

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      760.9MB

      MD5

      1d7b002e84b725a859caeb8baee5cf4e

      SHA1

      e2ce22c80a4316a590a82b0c3847537e6ea10155

      SHA256

      15baa91dcd5fd86521966f62c6ac20bc18d6496067126619d4fd446666b9ee38

      SHA512

      76b7a684c9d5236aa891b310984975ab33a185cb21ffdae5a3545d237dad0e4b0e881b2c1d6f2302daeab8a74adaab2d10778f110c2ec5f431635a9061d6fe93

      Download Submit

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      645.7MB

      MD5

      c9de8592fb9b582f936e49e41c36cd6b

      SHA1

      c4aed02a5ee003b46e985cfb60750a81ec50f7d2

      SHA256

      9e779699e9f2dddf9c882271f5cd0d432ec47b5b108ca386bee105f1ea6b70aa

      SHA512

      82755a76df7fc10e1655e18459a982fe7ec2f3685624ffabce3957eed148d7af3e7e72a486b7f215936acebd95a9941c51191504b678bab77ca96afe5542476e

      Download Submit

    • memory/2244-134-0x0000000004B60000-0x0000000004F30000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/2244-136-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/2244-141-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-146-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-150-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-144-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-142-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-147-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-148-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-149-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-143-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-151-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-152-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-153-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-154-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-155-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-156-0x0000000000400000-0x0000000002C8F000-memory.dmp

      Filesize

      40.6MB

      Download