laplas | 612b18a70f6dab4cf630c4892bfe908e0eaa7ffc9411f3ac2bb37f25e3187ead

General

Target

setup.exe
Size

1.9MB
MD5

e90f2482c026aab425f916f8c178350c
SHA1

1bc4d3728e9eda9fb248d1aec58b22f9990c0a40
SHA256

612b18a70f6dab4cf630c4892bfe908e0eaa7ffc9411f3ac2bb37f25e3187ead
SHA512

fe91ab479db3ded438b41a638494d58901957a0ac7d6d80425d2048aff069791008ce6bf8d343bd8f54c3e2cf032413afc574a5ee76c4957551ac14fa197b900
SSDEEP

49152:QcvCEnJ5rrgx7U/FFOAnh0Q7OuQJL/KAF4pJJ9peX9:Q0tJ5oxodTx2JR4pJJveX9

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
852	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1536	setup.exe
1536	setup.exe
852	ntlhost.exe
852	ntlhost.exe
852	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 852	1536	setup.exe	27
PID 1536 wrote to memory of 852	1536	setup.exe	27
PID 1536 wrote to memory of 852	1536	setup.exe	27
PID 1536 wrote to memory of 852	1536	setup.exe	27
PID 1536 wrote to memory of 852	1536	setup.exe	27
PID 1536 wrote to memory of 852	1536	setup.exe	27
PID 1536 wrote to memory of 852	1536	setup.exe	27

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
225.8MB

MD5
4c23d9f19a8488505469b751e844b159

SHA1
51c1b76ef700e77ff3aa64f8a4c50c64d98b15dc

SHA256
30a749b930e930a56ab438de2d54d65a242cb5606bfd82f58dcf2601a3e36062

SHA512
9495e7ae02dc32b1ece39d1e7b4705923f70351050be998df2806e8cc4589b1a561e1ef62db30628cd84ab966c4b29cac1a9016035e60fbae1ffc3ab7c5eca78

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
242.1MB

MD5
3cbaefb0284a6ffb92d3146b29528a73

SHA1
e9a13407f0a3e4e385f700a4687bf23cd9baed24

SHA256
0131ef6411a00cd8e492ca0c5070daea3fab0dcc7a8a577413c936e0a198f098

SHA512
06f2ddf1a7a253c1ff8692a4923aa3466b2ae2707c4ba16a12da87e5bfe365c44c8c73f3ccff4bb2ef0cfa1dfaa969c57a821178c19afc8e5e725cb6c1f268b3

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
242.0MB

MD5
4e5af867ffa11c8d66a0cff9c96f2532

SHA1
84449f5f1c6047b59af460c9949cbde3d6525e09

SHA256
292054f04f6acaa8f4f0945ed8c0c60836addab106226747ab08eddc01dededc

SHA512
748ab31468af14761ead10212508a22bfa5d0e3ad71e7ddc81da2a742519477f4b7441aae31f45eec91d4119ab3dde82d6ed593e920276a8f23f5ddb3c97b912

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
134.1MB

MD5
210197c28f066f9e2d7b240e8a7f6d5e

SHA1
0b055d6f4bff04e4e9147fc7cb61e39b038c40a6

SHA256
9e7c686a6357e10a0cd732cde611c2a85cfae465415a676fbcf93bea11cfb2d4

SHA512
acb1a08b79f943ed44c89c514cf3e284bbfe32db06d643f8d2bad768f4d10c4126637cb386374c869b969974d76fdce292d30ca66c2dbfdb7b75fcbe2e721b45

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
128.7MB

MD5
321d95355aa7870c4688a5dc93f3b583

SHA1
08b804ca0a076a3fc098a22d486ca090e8873be8

SHA256
0bdc33e261b90ebe9c26d8d38d2cec7fded8c06b89513aeff54bb397c50b4d16

SHA512
dbe96cfd092b26229c5c8f0bae016c3460676f2b2ce558a286887b3ea6975a02397d5aebc4027d0d6501cd318f929596f694f102f4c0b23a89ec031a14f563e5

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
238.2MB

MD5
8b5439b1024d63dbde8b3b3a4772031b

SHA1
53a99d3ad9a7437d5ecb5a989863d656545d3240

SHA256
0801c2e9d515ca6d09f8678cac2adfbce0c4ba15ebc2d690cdaba226dc752fb8

SHA512
c6cea971c45b6d3661bcfadaa345f88fe906dfabad28b4be8f5fdeb9ef5ea29810f91c485dd24b0796fa2480fe4095a6bcfa583c3a9fab3d08d6b6bccc440f29

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
237.5MB

MD5
d09066b92991ce6df84e4295117e99f4

SHA1
a8d9267fcfdbf5b6fe75b9853b9d1c5689925e6b

SHA256
a432657fd593039ae9abed42146c135a414be28004ea87f60cdc27cc87aa7a4a

SHA512
f86cd29e55ec2bc7ee85ccb7704b83ae64fbc26476b3d1ecea92febec36d0b1347687fad32d97e0576dd2d13d0667cede16b9d110baf6272a3aa98d0d978a051

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
233.2MB

MD5
3b5d7c30fe8ac7cceb45b82c1fce7745

SHA1
7fe02b7e8e4301b18ca71c4c3fd732ff5347881d

SHA256
6797741eff00d763f67ab38149c313239ac7e0256e2f40f50e2c30d6f064082d

SHA512
cdacd14d4e95ede3cd1828dabe84731e445187c7c2691aecf0a3a229035df223d1eeb6304581221ccd03f8a866e3b5dd2e3e10d6e7c34ffcf29fed6365af9b86

Download Submit
memory/852-70-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-77-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-69-0x0000000004750000-0x00000000048FA000-memory.dmp

Filesize
1.7MB

Download
memory/852-84-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-83-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-71-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-72-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-75-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-76-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-82-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-78-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-79-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-80-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/852-81-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download
memory/1536-55-0x00000000047C0000-0x0000000004B90000-memory.dmp

Filesize
3.8MB

Download
memory/1536-54-0x0000000004600000-0x00000000047AA000-memory.dmp

Filesize
1.7MB

Download
memory/1536-65-0x0000000000400000-0x0000000002C98000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing