laplas | 6e53cd4ff1c9a249cfb8f15e0ace2d7139843b14726ef12cc26bf9b469f59c4b

General

Target

alphacrack.exe
Size

332KB
MD5

3b9a24b8d96add6e30999d01707caffd
SHA1

8c2987facc8425d0208227aa53cec0bdd056e083
SHA256

6e53cd4ff1c9a249cfb8f15e0ace2d7139843b14726ef12cc26bf9b469f59c4b
SHA512

f2a69b1f9818c1336756e8ef63f236b1308735f7b98e97165335b190ef2dd729c0193d150bc8d1c07c6b7742e8f562267b9b7f36eb06319ed1c306582d9aad8f
SSDEEP

6144:GqGW13LMNttroHH9GAowS4btkDt8Yfd/E:J13gNttryHIAowS4Zk5zfd/

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	alphacrack.exe

Executes dropped EXE 2 IoCs

pid	Process
1656	ECAKKKKJDB.exe
2424	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3264	alphacrack.exe
3264	alphacrack.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	ECAKKKKJDB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4404	3264	WerFault.exe	76

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	alphacrack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	alphacrack.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5080	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	44	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3264	alphacrack.exe
3264	alphacrack.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 5048	3264	alphacrack.exe	86
PID 3264 wrote to memory of 5048	3264	alphacrack.exe	86
PID 3264 wrote to memory of 5048	3264	alphacrack.exe	86
PID 3264 wrote to memory of 1012	3264	alphacrack.exe	89
PID 3264 wrote to memory of 1012	3264	alphacrack.exe	89
PID 3264 wrote to memory of 1012	3264	alphacrack.exe	89
PID 5048 wrote to memory of 1656	5048	cmd.exe	92
PID 5048 wrote to memory of 1656	5048	cmd.exe	92
PID 5048 wrote to memory of 1656	5048	cmd.exe	92
PID 1012 wrote to memory of 5080	1012	cmd.exe	94
PID 1012 wrote to memory of 5080	1012	cmd.exe	94
PID 1012 wrote to memory of 5080	1012	cmd.exe	94
PID 1656 wrote to memory of 2424	1656	ECAKKKKJDB.exe	101
PID 1656 wrote to memory of 2424	1656	ECAKKKKJDB.exe	101
PID 1656 wrote to memory of 2424	1656	ECAKKKKJDB.exe	101

C:\Users\Admin\AppData\Local\Temp\alphacrack.exe
"C:\Users\Admin\AppData\Local\Temp\alphacrack.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECAKKKKJDB.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\ECAKKKKJDB.exe
    "C:\Users\Admin\AppData\Local\Temp\ECAKKKKJDB.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\alphacrack.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 2340
  2⤵
  - Program crash
  PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3264 -ip 3264
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECAKKKKJDB.exe

Filesize
1.9MB

MD5
ad71a24d622cbb5f8335ead026d1bdfc

SHA1
f95ddc723a16ed62fc670069a2e33e358ff68faf

SHA256
9178d0152c7511a2f09a96a647508c211ad860780a50a753ed4c22c0fd71ec98

SHA512
c5fe10a019dabe6cac7e2b50c3e5e2616a66a35c46d7aad600f501a1afa71020e53527c13a3e1bdf0606d362a4c13ed36cda44b2cd8be06cc330d4fa4fca47f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECAKKKKJDB.exe

Filesize
1.9MB

MD5
ad71a24d622cbb5f8335ead026d1bdfc

SHA1
f95ddc723a16ed62fc670069a2e33e358ff68faf

SHA256
9178d0152c7511a2f09a96a647508c211ad860780a50a753ed4c22c0fd71ec98

SHA512
c5fe10a019dabe6cac7e2b50c3e5e2616a66a35c46d7aad600f501a1afa71020e53527c13a3e1bdf0606d362a4c13ed36cda44b2cd8be06cc330d4fa4fca47f1

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
281.9MB

MD5
4fc35cf17ff8906ff7d9cf8109123d4b

SHA1
f67c61e8250c2586e412d527f1ed712d33072518

SHA256
f828d19443076d3ea53c11945cdd290bd1450732722481d5825fca49d5b65b5d

SHA512
caca5adcb2d641aba7999339456d289df18294ec75d1ac230796240f9ed743697fac6d7d01b74ef89f6575b556eed624da9579ceb2941b4b2983781af6e524d8

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
276.9MB

MD5
01df674707de0668fd2a852fbc9de503

SHA1
362ff37f9b7a98eed42cc4ae711678b4be4b0dd0

SHA256
6b0a35d3406ff9460dafee59c45b9738bc04c5c3c65ed5d5037e0b418772a77a

SHA512
dc8cfb00065206f7305374503adbcf2ae286d25b965140d00ca5d9940dfecb61d4c17f3e6ac3d51dc031648427dd189d50e600696f740a87ef16f2c3a52794cf

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
287.7MB

MD5
de0bb93acc7c01b45c089ef28716a4b9

SHA1
07e22053dede0d1adfbc81b2530ac069925c3166

SHA256
d02cf2e0b2892df5231ded51e0d044f8b6f7a0847935905bf16ca0599575550d

SHA512
ba1516396a2b59663ed67e584de3045495a5181707fcb8c7efea2122104c8637dd6f67e15a98d731bed74158aaff5f0fb9644d7078384ffa4de40cb2aa5fcaa5

Download Submit
memory/1656-220-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1656-216-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1656-213-0x0000000004BF0000-0x0000000004FC0000-memory.dmp

Filesize
3.8MB

Download
memory/2424-230-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-227-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-236-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-223-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-224-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-225-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-226-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-235-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-228-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-234-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-231-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-232-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2424-233-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3264-214-0x0000000000400000-0x0000000002B03000-memory.dmp

Filesize
39.0MB

Download
memory/3264-137-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3264-148-0x0000000004850000-0x0000000004865000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads