laplas | 9178d0152c7511a2f09a96a647508c211ad860780a50a753ed4c22c0fd71ec98

General

Target

IDH1.exe
Size

1.9MB
MD5

ad71a24d622cbb5f8335ead026d1bdfc
SHA1

f95ddc723a16ed62fc670069a2e33e358ff68faf
SHA256

9178d0152c7511a2f09a96a647508c211ad860780a50a753ed4c22c0fd71ec98
SHA512

c5fe10a019dabe6cac7e2b50c3e5e2616a66a35c46d7aad600f501a1afa71020e53527c13a3e1bdf0606d362a4c13ed36cda44b2cd8be06cc330d4fa4fca47f1
SSDEEP

49152:KQMNpBLv05kosHTzRIMvQyxmNTD/dscF96zpP6rF/c:KNNLvGkJTywxmIpzcry

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
844	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1104	IDH1.exe
1104	IDH1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	IDH1.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 844	1104	IDH1.exe	27
PID 1104 wrote to memory of 844	1104	IDH1.exe	27
PID 1104 wrote to memory of 844	1104	IDH1.exe	27
PID 1104 wrote to memory of 844	1104	IDH1.exe	27

C:\Users\Admin\AppData\Local\Temp\IDH1.exe
"C:\Users\Admin\AppData\Local\Temp\IDH1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
389.3MB

MD5
59bf7612ddd0891307dcf821ce4af3ff

SHA1
c8827549ec4b62cb6be19685dcc209c82ba098fb

SHA256
1521ef0bd53b6133859050f60c797648d628c4b9d1c80c8e2d2dd06cf7bb539a

SHA512
bee6e098639f3e4b5fb35e1c24d425a62ba72daf0fd28fb00725d7c173c707da89af50809d9488740b3c63bacd5724219d81725f5efe1cf89fb9c7bb35457678

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
360.3MB

MD5
6783baf581b2bdd50ecf3671c6d8a180

SHA1
8d68233271d0bab6d8e1da19055532fc1bcabfba

SHA256
34f58e12dbb7f2877f32633379bff75af9d5456e8c30d9efb03e5ab9dd4e1a57

SHA512
a54705802d0d77a23e083a079ea802f23a2eee2aa3b9b0ed0c79a808bf414bd0ea41f91766f2b53e2de153dfa7acfb33adfe6f330ddfa4a4a97392365720751f

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
282.1MB

MD5
ebef0e7204658fb5bc3b5b830e10609d

SHA1
b7655651948c873a37832bc856b587cedf59bbec

SHA256
e009e98a2f89e3720e39b236a5ecd632b34e3ffce8de518b9676d0ba59919b9e

SHA512
870640c5e9760ef3c7f301b0a45f21ae5162c18a6c229eda65480a9ac7d6ed2745e0e36510305dd2cba0250489b07e3ab63622d33901efea32ab30a50d9f38e2

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
384.8MB

MD5
6501e8939011518cd0403bd57ebd6ce7

SHA1
3601deb8f90ee7756ddb8392cce2e4f364025723

SHA256
0c721bf31d55b3e7d5137e0be7d74e614ec910ba2e3b4b752cc71842f242d568

SHA512
ee0818efdba2c99962077d29b7630710106c867c8949917ddf182f175725092221bcdaa2d17771044ee27ab228cd7030d98854e961a67f217bc9b9ffee344018

Download Submit
memory/844-68-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-71-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-79-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-78-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-66-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-67-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-77-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-64-0x0000000004550000-0x00000000046FA000-memory.dmp

Filesize
1.7MB

Download
memory/844-72-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-73-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-74-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-75-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/844-76-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1104-54-0x00000000045C0000-0x000000000476A000-memory.dmp

Filesize
1.7MB

Download
memory/1104-65-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1104-55-0x0000000004770000-0x0000000004B40000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing