laplas | eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02

Analysis

max time kernel
147s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2023 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.9MB
MD5

bdd49eb42688886ee312ae57d9d1f654
SHA1

9fa1b8eb6b546d78150324b2303b9425b8f23dc5
SHA256

eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02
SHA512

6bb152f179c781a26107e9f3e2084f2e70fc15835c30d40cfc27d3d354ebb3214851a9cd350f1504b151fa792c5ac8d6290f3b4da5c8839ee3b759766e92a586
SSDEEP

49152:fzmvpQccgreskIaAUgrqgHkrWIF994X5IBY:fzOJtqgHkVoIB

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2680	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	39	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 2680	4312	setup.exe	90
PID 4312 wrote to memory of 2680	4312	setup.exe	90
PID 4312 wrote to memory of 2680	4312	setup.exe	90

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:2680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
813.9MB

MD5
d5204f389154e606178addeab36542c6

SHA1
49e6c204b1e39aa2ea475f23e3fd1495f368153a

SHA256
0e65669e6c32dc2b0292330fb4ce75e8aec101243410e90e0d5b4958b75a03a5

SHA512
e6b1ff9dcfa1e1ec26982fcff0badb5ea758ff0d3cab0aa8b8c74358b7b98d0131565985b67e701f0b1a115f534c093c042eace3b385838bb9b9554431a95c1a

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
813.9MB

MD5
d5204f389154e606178addeab36542c6

SHA1
49e6c204b1e39aa2ea475f23e3fd1495f368153a

SHA256
0e65669e6c32dc2b0292330fb4ce75e8aec101243410e90e0d5b4958b75a03a5

SHA512
e6b1ff9dcfa1e1ec26982fcff0badb5ea758ff0d3cab0aa8b8c74358b7b98d0131565985b67e701f0b1a115f534c093c042eace3b385838bb9b9554431a95c1a

Download Submit
memory/2680-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-141-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-145-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-148-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-168-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-166-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-156-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-158-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-160-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-162-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2680-164-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4312-140-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4312-134-0x0000000004A00000-0x0000000004DD0000-memory.dmp

Filesize
3.8MB

Download