laplas | c18e099aff653a5616a1401ca0268c2f7a33b86012a07b2be1bd19ccde628f38

Analysis

max time kernel
146s
max time network
149s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
18-03-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c18e099aff653a5616a1401ca0268c2f7a33b86012a07b2be1bd19ccde628f38.exe
Size

1.9MB
MD5

3434c9617dfb31a20021d756d977f6ff
SHA1

a5b24fcad8e1fb557fea8780449e88a14131b639
SHA256

c18e099aff653a5616a1401ca0268c2f7a33b86012a07b2be1bd19ccde628f38
SHA512

9dadb7eade2bf1bbe13e76491eaef2fe2bce97072414af712ceead6f85b4ff1665d7a5727a1d9f77d6fec60cf5453028dd751d1b7d2249177d082fbb2980a0c7
SSDEEP

49152:chH2KphK+nilTSxMDvPaqVQFghGhULV7JMRS:chpK5RSxMDvPMgGhyG

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4168	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	c18e099aff653a5616a1401ca0268c2f7a33b86012a07b2be1bd19ccde628f38.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4168	4108	c18e099aff653a5616a1401ca0268c2f7a33b86012a07b2be1bd19ccde628f38.exe	66
PID 4108 wrote to memory of 4168	4108	c18e099aff653a5616a1401ca0268c2f7a33b86012a07b2be1bd19ccde628f38.exe	66
PID 4108 wrote to memory of 4168	4108	c18e099aff653a5616a1401ca0268c2f7a33b86012a07b2be1bd19ccde628f38.exe	66

C:\Users\Admin\AppData\Local\Temp\c18e099aff653a5616a1401ca0268c2f7a33b86012a07b2be1bd19ccde628f38.exe
"C:\Users\Admin\AppData\Local\Temp\c18e099aff653a5616a1401ca0268c2f7a33b86012a07b2be1bd19ccde628f38.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
585.6MB

MD5
ce463e78e6d0eaf504b8582b38a62f0e

SHA1
a4f0d29b2b935cfe0934c6801d38e1623794989f

SHA256
b669e1edf1917da85d09a423d37dcee12ba146b4ff32b662eae43404303c527b

SHA512
d8eb8d815e6caa02fadcb01de955fc59b9c7fefd470a907cf17282d862610bada38aafa3952da18bb6367986e2dac0d9111483241101f94547017a445c403fe3

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
530.6MB

MD5
c15cb4bdde3474de9a566c975004ed69

SHA1
68f9480e113325d2268ebc4ae00c38edc371cd98

SHA256
dd2a00d907fc53b87020f5da8b1cb1331a0385fd39a6eacaae1fdb30fb2a0184

SHA512
3bedb905fc287f93662cb689c58b9623a746573459d774df905be03e872edfabf93bfa2649546702d3965a53cbef85014b2387b14f013301a5fc452b5058fd65

Download Submit
memory/4108-120-0x0000000004DB0000-0x0000000005180000-memory.dmp

Filesize
3.8MB

Download
memory/4108-122-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4108-125-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-131-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-136-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-130-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-128-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-133-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-134-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-135-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-129-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-137-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-138-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-139-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-140-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-141-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4168-142-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download