laplas | 7c849ca7534ee84e5e769f3f84f6af78121bc4e45b9888d1fdbfedd338b7e606

General

Target

Installer.exe
Size

1.9MB
MD5

78d8d347bab1cea911f9c841654acef0
SHA1

81597af51260f0e810095374b3a997952dd67101
SHA256

7c849ca7534ee84e5e769f3f84f6af78121bc4e45b9888d1fdbfedd338b7e606
SHA512

77db0a76049cd38999753b7b7d0fb22ab6d5d5ae6727c2385526e2da5bdd7617e5a67f2e5419a06622a8e674ef810fa7cfe3d1bdefbb8a79253d890b07d39230
SSDEEP

24576:YcOkrpxc/T6kiXls2hPSu/9h0rxJSAWI3Hlbgcgtoz9Le7+fC8US431Tgt/Ts:YXkrH0Wdf9yTRlbgcgq9Le7+fppw1T

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1764	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1760	Installer.exe
1760	Installer.exe
1764	ntlhost.exe
1764	ntlhost.exe
1764	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	Installer.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1764	1760	Installer.exe	28
PID 1760 wrote to memory of 1764	1760	Installer.exe	28
PID 1760 wrote to memory of 1764	1760	Installer.exe	28
PID 1760 wrote to memory of 1764	1760	Installer.exe	28
PID 1760 wrote to memory of 1764	1760	Installer.exe	28
PID 1760 wrote to memory of 1764	1760	Installer.exe	28
PID 1760 wrote to memory of 1764	1760	Installer.exe	28

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
219.9MB

MD5
508dac8fef26e2ca4f839f0a1611749d

SHA1
0f4b51a67bf76b2936fae43dbca11456a004287a

SHA256
6890f89e0ac24ce14d5e2184570b5fd87ee45b1b96899be48cc28b1418b4599e

SHA512
8913c47b0197082caaad73953eb128b25a18765dd51e17d71d16135a77ae846f4dbf3aad63cd58560c22071759d2870631962824e09db1773a05bf20a718329e

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
229.1MB

MD5
dfc852b4893f2db3aae7c96eca19f424

SHA1
39d6dee1e63b4ff5d021b86e7da914fdbecd56d0

SHA256
6998b179402afa95c6d19ca29041794fddf8b10f95c80b5d9640a4e395e2ca99

SHA512
a712aa92a91259c92f2a3eece186b1a30ec7fdc6c08e0db053053cd749a4b7b877ec8f9f63dc6559656fa83f73c3d27ca3462bf60f357744058dd0b97cc7d817

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
204.4MB

MD5
4b8613d064967089af5e01d5e327b3b0

SHA1
ead9f3728986dd0f2d6fca80db4abc6012d5cc44

SHA256
04ebe0c31388d69af03532659422b65b5fdead63f8c39f4cc845c37dca84159b

SHA512
19a29702deefa2c63b8ec7a72221563eac971521fea9fa8e5ab4e3bea69e09f50435f2ca5a55befc919bb13167d7be42041cfe14cdd30874d6869982a4207c8c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
133.2MB

MD5
2550fd6e42af59338ceb50c6ba79ae09

SHA1
93f115212b557f5fe9a9b8b1f7e2adb8fb0a395f

SHA256
83bfc1430612d7bb4e914fdf3d84c1095bc3d2fd9f9f1ed9de6288f60ee4ea16

SHA512
680431f9f47e0c18235b27f415e7ae5ce2dd217edecabd469fb8fcf9d5fa76f56d6ca690ae83b29d0e45e12f9627092aa0799cf22d7e799662bb0e2e726c3ca4

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
236.3MB

MD5
a27e09338c37d8bafb9e306cbdfb358b

SHA1
5dc5bea9d8f2918d4015042f9465d2850b9aa3a9

SHA256
2bd2f993b6e2ab715aea294ff9ed6519115e8f6665e61a495e5a897f3f1047fc

SHA512
3c18a7431c457806c69391bccb5cb8f0ed7d286739302c747fb1546f5d4b57e344c5a7f6d1d54aa81cbf40a523246dfe37788b6c4ce5f6160cb6ea341137cc61

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
235.3MB

MD5
5ed6834ede6e5a64e7745474c13f88be

SHA1
41fa9ecc3c92341cb60ce8f99072438d61c4bb15

SHA256
41d877864a88dfb006851919969245321867f4cf4d12de66d34096c2385c6521

SHA512
9a070a15b893c2cdecb5a605b9cff95d9fe5245793bf12f610635133132f68c6875502a7605857e536e72784f4e1873abd5bb5b89ed20bc6fce341017e086243

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
218.9MB

MD5
1f141ddc297299c1ab1bb3cb86ecf194

SHA1
ee7e8346fb176cb4c5e01936d332ea250b24142b

SHA256
85a40b4445a94311d6be2843e2f11be0078717a3d3d1cf1fe7c9e135ad227eba

SHA512
70e6dbc3fe4cd9f9e15da5bc49df0e678325713c30e7b4c9f1557e6a87a0b08abe78a341b24eaeff3a6f2156a776ea67564d48909c315af94ac316b636621e49

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
237.8MB

MD5
a81819b6dcb5621682f084fd6b50a079

SHA1
ad6dbf49491778c860eda6221b0e128704557470

SHA256
973697279e14596dfb5ca4c2ad8f87f5949104bbaba29fc58e368f1cd1043f79

SHA512
5430031a1f4c35b1fa0a1854940379bab84ead7d67b5e0f7ca71c8dd9733a05c62ea6d9c39a62b2a7e1a5aeed35a32451410cb3ace21dc22d960987df52e1a87

Download Submit
memory/1760-65-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1760-55-0x0000000004A20000-0x0000000004DF0000-memory.dmp

Filesize
3.8MB

Download
memory/1760-54-0x0000000004870000-0x0000000004A1A000-memory.dmp

Filesize
1.7MB

Download
memory/1764-70-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-69-0x00000000047D0000-0x000000000497A000-memory.dmp

Filesize
1.7MB

Download
memory/1764-71-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-72-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-73-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-74-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-75-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-76-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-79-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-80-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-81-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-82-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1764-83-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing