laplas | 683d200bc03f75a371ad5f8e6ce353c36eddca7c3db3cc155852ed675ec627be

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2023 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

1.9MB
MD5

8a72fa049d56ec4cacc2829db61552a6
SHA1

fa0b26a405751d1119ba005cc354583dd0ac19a6
SHA256

683d200bc03f75a371ad5f8e6ce353c36eddca7c3db3cc155852ed675ec627be
SHA512

49551698ac74431e630d007710f59c0f6b4a66c57f4e7e9ba123473e12db2dd5e1fcf8051cb96b8fe2fb61b9cb6230f7f4831c9446c164185041d529a611399e
SSDEEP

49152:Ql+S9xH3mSoXhsOMf6X/7otK6QvjAIwieJUnf1/8V:QUS9sSoXbMsT2KpbAWJfy

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4764	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	installer.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	41	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 4764	3756	installer.exe	83
PID 3756 wrote to memory of 4764	3756	installer.exe	83
PID 3756 wrote to memory of 4764	3756	installer.exe	83

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
753.9MB

MD5
56381e1300d79d4dc6de85fe97fa5bb9

SHA1
744c63aa701d6883c4c82dd46bb475c3cf1f1ef2

SHA256
513858688896e2bba2539b26a5c69b6cdfac019db8ae149a621c88d8c887544b

SHA512
9533099f0c2187091643fdecdcd58a25b83a52bdf1a4c44a6e57c6e6eba690984af9228d7a6c71f4ca4ce6ef8b1f0a0530c7f67bd664c059d140c14544b93c3c

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
740.9MB

MD5
86e0f22ad4e3b384a25dc6b98d24ce63

SHA1
d5a72962019878d39e8d374187edd3405bec05ea

SHA256
cd525266f193b3e9690ba3dfa756bf41f925ee4af2d0e2f8d57b5aa3759b4b44

SHA512
934ea08bbc9727a24fe21c707991df48547595c53f580fb06f517cb4cfc844eb920c4024536851055cb0e2e79e42d135f099d5b0fd9bdc550d7f0e648be6f680

Download Submit
memory/3756-134-0x0000000004C70000-0x0000000005040000-memory.dmp

Filesize
3.8MB

Download
memory/3756-136-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/3756-139-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-146-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-150-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-144-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-142-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-147-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-148-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-149-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-143-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-151-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-152-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-153-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-154-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-155-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/4764-156-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download