laplas | 539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2023, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe
Size

1.9MB
MD5

767304da223d94dd67714d4089f354ad
SHA1

cab06ce07cfd4aa406f02fb867b9dc00f6b0fbb9
SHA256

539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5
SHA512

d1cb342c29b3c0a16c284f9453d43835efedeadcc276e83566a178fef2f67e01cb3e0ee7dbcf381b51a76f646c080b2ed63ab06f85a818fb9d11b2abc33e33b9
SSDEEP

49152:DadySunZffa8wPIqp74qO+jQJvXdHOgxeZX:DKySuSPLCqHkvXdug4

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2840	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3128	740	WerFault.exe	82

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	54	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 2840	740	539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe	87
PID 740 wrote to memory of 2840	740	539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe	87
PID 740 wrote to memory of 2840	740	539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe	87

C:\Users\Admin\AppData\Local\Temp\539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe
"C:\Users\Admin\AppData\Local\Temp\539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 520
  2⤵
  - Program crash
  PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 740 -ip 740
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
730.9MB

MD5
a7131138b222193d6a82c0e3fd8fd89c

SHA1
8dab202364e5ff4d1d6feecbb341dd6e1e82c107

SHA256
6a504e81eebb6e9b2da9c16717c2177381aa787b952c4b776ec74b42d81a1117

SHA512
4958ab11a4bbbd33ac9d59f5aed468df05917dc10b8bbddd5825066d632738232abf6a29fe5d2cadbc7b4cbb46a720c377ef62b62e9b7f964cfd613d572812ad

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
761.9MB

MD5
a06067dacea140497c6fc821a8bcdecb

SHA1
dab4bb78559451635b1c49b93df3b24cc2449a22

SHA256
2d734f5033b839937ce21ec6d5de765ddc5f14b08a0b57573e10b00e1d5ee3a7

SHA512
ad1b27dd343f01978f40ca680014aafb4a723a1bb199217a0922dba1475bf20f0e18f7d976c86f6073fb33f3c9e0054e0b13f6d8b4dac394193229c7a877bc1f

Download Submit
memory/740-134-0x0000000004EC0000-0x0000000005290000-memory.dmp

Filesize
3.8MB

Download
memory/740-136-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/740-141-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-145-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-150-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-144-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-142-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-146-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-147-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-149-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-143-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-151-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-152-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-153-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-154-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-155-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download
memory/2840-156-0x0000000000400000-0x0000000002C90000-memory.dmp

Filesize
40.6MB

Download