laplas | 9178d0152c7511a2f09a96a647508c211ad860780a50a753ed4c22c0fd71ec98

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2023 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IDH1.exe
Size

1.9MB
MD5

ad71a24d622cbb5f8335ead026d1bdfc
SHA1

f95ddc723a16ed62fc670069a2e33e358ff68faf
SHA256

9178d0152c7511a2f09a96a647508c211ad860780a50a753ed4c22c0fd71ec98
SHA512

c5fe10a019dabe6cac7e2b50c3e5e2616a66a35c46d7aad600f501a1afa71020e53527c13a3e1bdf0606d362a4c13ed36cda44b2cd8be06cc330d4fa4fca47f1
SSDEEP

49152:KQMNpBLv05kosHTzRIMvQyxmNTD/dscF96zpP6rF/c:KNNLvGkJTywxmIpzcry

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
640	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	IDH1.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1084	4828	WerFault.exe	86

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	31	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 640	4828	IDH1.exe	87
PID 4828 wrote to memory of 640	4828	IDH1.exe	87
PID 4828 wrote to memory of 640	4828	IDH1.exe	87

C:\Users\Admin\AppData\Local\Temp\IDH1.exe
"C:\Users\Admin\AppData\Local\Temp\IDH1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 508
  2⤵
  - Program crash
  PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4828 -ip 4828
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
804.9MB

MD5
a7eca1bc2c5a3c15e308375506e6b776

SHA1
cc6001953b5d3cc4202ef86f01c77b223636c1a1

SHA256
c875ec973eb0a92209c68ac986ae86fddcdc84c6f377c966d44a48d2c974d064

SHA512
bfc1e6d5e00406639ccca1b876a4475e00a206c2bd8786e3ee7361010120ddf2ea94ad3da10ebdeef5796aa584786b9f2dabe0f6ce23c237eea27762a2a6a6aa

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
804.9MB

MD5
a7eca1bc2c5a3c15e308375506e6b776

SHA1
cc6001953b5d3cc4202ef86f01c77b223636c1a1

SHA256
c875ec973eb0a92209c68ac986ae86fddcdc84c6f377c966d44a48d2c974d064

SHA512
bfc1e6d5e00406639ccca1b876a4475e00a206c2bd8786e3ee7361010120ddf2ea94ad3da10ebdeef5796aa584786b9f2dabe0f6ce23c237eea27762a2a6a6aa

Download Submit
memory/640-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-149-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-156-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-142-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-144-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-146-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-148-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-155-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-151-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/640-153-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4828-134-0x0000000004BD0000-0x0000000004FA0000-memory.dmp

Filesize
3.8MB

Download
memory/4828-136-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4828-141-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download