laplas | 683d200bc03f75a371ad5f8e6ce353c36eddca7c3db3cc155852ed675ec627be

General

Target

installer.exe
Size

1.9MB
MD5

8a72fa049d56ec4cacc2829db61552a6
SHA1

fa0b26a405751d1119ba005cc354583dd0ac19a6
SHA256

683d200bc03f75a371ad5f8e6ce353c36eddca7c3db3cc155852ed675ec627be
SHA512

49551698ac74431e630d007710f59c0f6b4a66c57f4e7e9ba123473e12db2dd5e1fcf8051cb96b8fe2fb61b9cb6230f7f4831c9446c164185041d529a611399e
SSDEEP

49152:Ql+S9xH3mSoXhsOMf6X/7otK6QvjAIwieJUnf1/8V:QUS9sSoXbMsT2KpbAWJfy

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1504	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
2040	installer.exe
2040	installer.exe
1504	ntlhost.exe
1504	ntlhost.exe
1504	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	installer.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1504	2040	installer.exe	28
PID 2040 wrote to memory of 1504	2040	installer.exe	28
PID 2040 wrote to memory of 1504	2040	installer.exe	28
PID 2040 wrote to memory of 1504	2040	installer.exe	28
PID 2040 wrote to memory of 1504	2040	installer.exe	28
PID 2040 wrote to memory of 1504	2040	installer.exe	28
PID 2040 wrote to memory of 1504	2040	installer.exe	28

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
209.2MB

MD5
e50d078168062d4a3df113bfe35ec370

SHA1
f3c3407d9487079275029e66581fb02984dc00eb

SHA256
39206de03b092474174c1ec078c189c7c97a3fe4079a4f34dbedca97834594af

SHA512
9914def3adc869d4c294c21620e9d7ceef1fe93a2ed9c44c3753c551bb3b77e065071e12499f7f5e0ca91e683a15b45a2c7374429d91b3aec482c77300104158

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
218.7MB

MD5
22456383fc07c09f525abb7f0c43fe07

SHA1
3763c00f2e5dadf60c49013eb81bb78cde3fba7a

SHA256
73f03cbfb6c466fbb6b5557531613db9080589d0b2e0bc0fdcec16ffe7f1afcd

SHA512
80c65e0cbc35565b7c48ec9d111672fcc58f2117b289924e1b8cf7a12ad7d173fd189e44bfef42505025e7b1c0c2e4c7bda864bebe53d9c38c718f29f7dd1dec

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
216.4MB

MD5
dd4788c7170d7c2111b9d45f79e87095

SHA1
ef8228c2bb875307c4492173be6a91d233ca0fc6

SHA256
23264db9c2dd4e93e54e583b65b0908c50e8d3f623d8512d1eb24389b8445b9b

SHA512
65aa3fc7ce54cd6d345625e703881f080b2189e781464885b7d867acb4dfcce85b5c4b66a4de2a62daaa4f07e1bb3eebe30c59b697fd389e7d152f0df4e09fa2

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
219.6MB

MD5
2a89129cd99e9efd44e67d9eeba8bef9

SHA1
93044e38d39c1ce5ccb182eeb8a9db21d26104fb

SHA256
1ce7da4b24ce9aefd87320496afce74dde45a0878fe1aab775a39d46de299a5b

SHA512
6fb613801123ff2d193b08d63b4434b450a481ecffa319dbb21bff47792b490688305bc1cb902e17515260ad4defeea5bf320376d85faf74da5df9f36e641bd4

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
215.4MB

MD5
dbdd30c4d68b9abcd760dfcd713868c8

SHA1
d74995e6582d1a03ff1c0010fdcf04940346fea3

SHA256
b574705eee7a15533df3d14245ea2c553875448eaa3eced55a1b34f1573db36a

SHA512
8947e79e9fbf7bb7aaf644bcc95e5064a59df00b24b549fb53034e9517193b57c69e48dfef6f813ee152bb8ab451ed5a2f87be9a8ba50b9b85c8298ddfe3171a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
187.7MB

MD5
ca2bff965db2897447411d5613826137

SHA1
a44de0187cc7ebf220d26e52e0cec05ce8845f07

SHA256
6135edeeded2c73af6a366fc2acb8cd40e9b35bb123ef233b3670487c34ffa52

SHA512
db7c531c6b16823fd35b818da6eb10d57554dbcd4166af9819af9b48fb79261c92219ef8aa9ee420fd76fa5c78b3b0b0474bd9b158f4649fa78407aaafef1b32

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
210.6MB

MD5
ee4f3283329d21f7e38b67fb5e36e859

SHA1
7d888408e2a22737435190c8e7129292711c0d82

SHA256
671a7a7ff2822af2cfa893865c4f38aa96b8c8add939cc5296481314b3daebb1

SHA512
52fdc4f1cd7fc468e73dbd1d9dc14c33d9f42d6e5dfdb4b1c1c7297eaab322c80c7fadd5dee8f2e6a01b32e83b6f3d22bf0892b7f3aa9bedcf3fb12aef0e7019

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
214.2MB

MD5
9ba3c71fa1834498e244cf587b71d95d

SHA1
0f63cdc0e43992c0e82a4c151dfdb0d460cdb50b

SHA256
a91a2189de4ed271d8e56d5ae60817d5685db6798d6047c9e5e5a83fb53ea1b5

SHA512
9d5ff7b2421d1c1b960ce9294844d9243b9e14f43f6fb76ae9abbdaaa4aa68963c7bddf7942d97ef24462adbe077b49c37d2a0da5ac047e0ce7a126fa3c6aec3

Download Submit
memory/1504-70-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-78-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-83-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-82-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-81-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-71-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-72-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-73-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-74-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-75-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-69-0x0000000004820000-0x00000000049CA000-memory.dmp

Filesize
1.7MB

Download
memory/1504-79-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1504-80-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/2040-54-0x0000000004800000-0x00000000049AA000-memory.dmp

Filesize
1.7MB

Download
memory/2040-65-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/2040-55-0x00000000049C0000-0x0000000004D90000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing