laplas | a0e69f08c2fa6024b971272ca58b242e2f315c6a02dc021f985a1ec296b4ca66

General

Target

zhiga.exe
Size

296KB
MD5

0bdd1650cdca85862e2aac7a644e72f3
SHA1

a834be9c78a2cde3013440411b970551b181cc87
SHA256

a0e69f08c2fa6024b971272ca58b242e2f315c6a02dc021f985a1ec296b4ca66
SHA512

c014db2ff3ac4d5f58847e0318ad407c300df69c4273539187e952e34dd70f9706eeb52dbadba8919dabe738c8a239b09c85a910985ad88eef69b9290bfb5720
SSDEEP

3072:SK/jgHLAaGdaDsI4SQ19KupQhKH4xSaUeNeNMX58TztNrS94Enu:zgHLATdaDsI4/XReUeNeNtfrKHnu

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	zhiga.exe

Executes dropped EXE 2 IoCs

pid	Process
3368	FHCAEGCBFH.exe
4424	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1500	zhiga.exe
1500	zhiga.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	FHCAEGCBFH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	1500	WerFault.exe	85

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zhiga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zhiga.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4248	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	42	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1500	zhiga.exe
1500	zhiga.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 760	1500	zhiga.exe	87
PID 1500 wrote to memory of 760	1500	zhiga.exe	87
PID 1500 wrote to memory of 760	1500	zhiga.exe	87
PID 1500 wrote to memory of 1456	1500	zhiga.exe	89
PID 1500 wrote to memory of 1456	1500	zhiga.exe	89
PID 1500 wrote to memory of 1456	1500	zhiga.exe	89
PID 1456 wrote to memory of 4248	1456	cmd.exe	92
PID 1456 wrote to memory of 4248	1456	cmd.exe	92
PID 1456 wrote to memory of 4248	1456	cmd.exe	92
PID 760 wrote to memory of 3368	760	cmd.exe	93
PID 760 wrote to memory of 3368	760	cmd.exe	93
PID 760 wrote to memory of 3368	760	cmd.exe	93
PID 3368 wrote to memory of 4424	3368	FHCAEGCBFH.exe	98
PID 3368 wrote to memory of 4424	3368	FHCAEGCBFH.exe	98
PID 3368 wrote to memory of 4424	3368	FHCAEGCBFH.exe	98

C:\Users\Admin\AppData\Local\Temp\zhiga.exe
"C:\Users\Admin\AppData\Local\Temp\zhiga.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHCAEGCBFH.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\FHCAEGCBFH.exe
    "C:\Users\Admin\AppData\Local\Temp\FHCAEGCBFH.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:4424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\zhiga.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:4248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 2140
  2⤵
  - Program crash
  PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1500 -ip 1500
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHCAEGCBFH.exe

Filesize
1.9MB

MD5
3c491cde84daac60101335966f900fbd

SHA1
864776f60349bd90f2ae409286d3401e4ec9b63c

SHA256
f82abb756b52669b2dc6911e2d84189018887416fbcf090f8ce32dc7c55a6fb7

SHA512
72f8c94c990bc04f9e48b7124c44b16b617eb02d0fbc11875fe62d01e8da336f4f11e93ca1bae9918a01767174a7232eabed2132c8124ef807ffed964de42f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHCAEGCBFH.exe

Filesize
1.9MB

MD5
3c491cde84daac60101335966f900fbd

SHA1
864776f60349bd90f2ae409286d3401e4ec9b63c

SHA256
f82abb756b52669b2dc6911e2d84189018887416fbcf090f8ce32dc7c55a6fb7

SHA512
72f8c94c990bc04f9e48b7124c44b16b617eb02d0fbc11875fe62d01e8da336f4f11e93ca1bae9918a01767174a7232eabed2132c8124ef807ffed964de42f1e

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
351.6MB

MD5
5ff43c7dd33781e842d4be8480e28023

SHA1
a50993196d9a69c0bddf845755136f484c6ac3ef

SHA256
bd57383dd99179fbc7593fbdc9f18ff0d73d97eea8ff434088c5f48031bb3c56

SHA512
8f747ce1ae7fabc8ff003989cc1b008d03c7a44ca99ee1056144cedca45f41eacb036ff19755cf8c6d923d1c7b93bfcba4fe7c6634d0e24eed0b3b5eed654a40

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
343.2MB

MD5
5d2f4821a38084d50da55c7285a5abf5

SHA1
a498b58567131471dd6373644dce6768cb85c364

SHA256
2dcdff71e116244dec07666e4e6c9c49e654f7c0ac536f3a22721d9f6077a51e

SHA512
a278486463b85866f3c84b2404e1257f8e93bc3dfbb2db94b54f519b6a0f710aa2a420835eb59218ecfaa68e8413ade5ed59da16defc1bcb7ee90edda4407ddf

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
303.0MB

MD5
c65c8adc5d83c290a8ffbe78cd949aa2

SHA1
a2bc8a1e7560bf19455091401d7394217f4bcffc

SHA256
72c824a1e0faaa7d2ff8437f4d01a6efec0915f8a8297ddc29cafb6f4a1cd786

SHA512
415fcbdc66e820985c5eb7068a6324b37f52567d1a04615d85141640e3669a830311cbf0a3462e3c65febe84266c181fc66814fb98c5b06cb532520f9c5159fb

Download Submit
memory/1500-208-0x0000000002C90000-0x0000000002CA5000-memory.dmp

Filesize
84KB

Download
memory/1500-216-0x0000000000400000-0x0000000002AFB000-memory.dmp

Filesize
39.0MB

Download
memory/1500-202-0x0000000000400000-0x0000000002AFB000-memory.dmp

Filesize
39.0MB

Download
memory/1500-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1500-134-0x0000000002C90000-0x0000000002CA5000-memory.dmp

Filesize
84KB

Download
memory/3368-215-0x0000000004B90000-0x0000000004F60000-memory.dmp

Filesize
3.8MB

Download
memory/3368-218-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/3368-221-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-226-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-225-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-224-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-228-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-229-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-230-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-231-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-232-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-233-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-234-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-235-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/4424-236-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads