laplas | 94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a

General

Target

setup.exe
Size

1.9MB
MD5

9eb001d8fc03b5ac327076e5454c1538
SHA1

fd609a4183d2cb6b1091fcdf4d543ea1b5bc7fda
SHA256

94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a
SHA512

e3822fd0aa77eae9fc06011e888a2164518e436b9e231eb7306997eff7817a15facb250259dcabe629882f5e9fbe0f2aee1128e221ff0f7f1048e6754e443604
SSDEEP

24576:8lnXu/5rLOHsKtiO5LM0GAWYZuTXx7kZ6BZy5A5j5S71Y+/S+a7IeXSLTn14ZoFQ:UXukMAi8BWXzSYOA5j5s1Y+/NuXc14

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2044	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1716	setup.exe
1716	setup.exe
2044	ntlhost.exe
2044	ntlhost.exe
2044	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
219.6MB

MD5
34a37fdabf5aa5b3c378cc810bc243fc

SHA1
2af8f8953faebdae7e48ea5bf158af21f54c75f9

SHA256
1c7c8a7d13f716f5e5d364b411e808d15ede0a2d45e32c4e1a12b98e137e46ff

SHA512
0f00f0eb7371baef0e3284d13c5a593ef6c2266e40f3d0d5f5be90571519913379c842d5d5da219c93742eb77b6de46f4d2d97da267d25c0c41766d8716c28ec

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
235.8MB

MD5
7ec3217b0122b369759beeffd114bd34

SHA1
46e684e17833c674bf3b5f1287001a8969893e7b

SHA256
4ce50ce4c00219a6badbff72e0dd30ee00c91cc13ad89f04ca05cf5089bef493

SHA512
41cf76e96750a704c9f528a915860eb430c140017b26795e643117f8642d0829df222481a547ccb502fecbeccb24308466c49a819e6124573271053311946094

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
237.4MB

MD5
e0f1467b498c9990c83ee8e580332a01

SHA1
89ae8e312c16dc34c7f0506b9664c2570d9ff467

SHA256
efce2df59251c84a2d1cc43bfd48dcfd7f7593a4594a49356a9a95d086576ee0

SHA512
fc48322ee8924fb5115dcb9f79ee3c86b35cbe34401ce0be6a8aa77482de44c3ba4ba5026f91ddbb83ab5b12ab96008cbd6bc94bcd058a38e8c9158af26e32ff

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
133.6MB

MD5
49e9898f83c8db98cda8a72e91ae4294

SHA1
9ccaac43e8b0f6f20e2cd1d8687ada424b2455da

SHA256
addce0664035fcbb6aed175a673369e3e1545228d32b65d9c19c2590bbbb673c

SHA512
bbb8e6579700ad56a2fac2afe8933e8ac234278ce959ab0e1ae4f7cb7cd4d50d2d0c6d26ab68e32ac7d5766c3f275516b33d344608303f9a0dc9579b2c897654

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
201.2MB

MD5
061453b479078fdb84769e4748697e77

SHA1
48407ab1816d9b18c4ac3caa6b816bdc4751d732

SHA256
3b2065581916e448580930e3c7a05cd67919094d166e26e20fca0b01278b7395

SHA512
831542a702c70761922fee895d8d825979a82d0f952114d948d5cccdecb3d5aff114b6cb1f73b09448d1ec043ce9520b849033e662b9478763efbf1f25deefe3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
248.6MB

MD5
ecd48fc5c465fcab0cc36ac943919b3d

SHA1
6517b919f8af93d1e85ad32056e3b5778997e897

SHA256
a549523480cfa8343bff20bac11900340cde6b4b88a0b76cedb594f26c9735df

SHA512
7cacd528b7fdaac5021f2dcddd40d8926400074165aac14cc867ca7e8d537e2a01e68c0710d2e9c39572a27c5c4f4b46c088895c3d6140ed922184b856880ab1

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
230.6MB

MD5
fa4d6af0c74793663568db180fe3a911

SHA1
f990f3c579726ed3608a494d2cb57084fc2c7c44

SHA256
5d49f2b28e3c7be576328ec1da83f3e66e72ed1826db3a0f48f892717cce19d8

SHA512
33be3c900af77a84efc5b60acef237e2be2aaa96ae4179a78ee6dd78fdcdeb4295dd069340206ab6308a60377a4fab9cd9601da4a37eb2fbb5c0050572d34521

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
246.9MB

MD5
f73fa92bc17b8c561063e09a1bbc7ae0

SHA1
55d19b74bfde602e7f29be37e9e9dbe0e0915f5a

SHA256
85296bcfb074e603bd215bd5878ba1099a7ee1e259afb131a5e9d50ae7f8d1fb

SHA512
10f0ba87fd6a25566a4f9689ecdde6f707ecf17847ee3bca4538eca1197e1c0f3c1017d14d93501037d69c058f8496b31953e63ea78d22be593e254ea03a1662

Download Submit
memory/1716-64-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1716-55-0x0000000004980000-0x0000000004D50000-memory.dmp

Filesize
3.8MB

Download
memory/1716-54-0x00000000047D0000-0x000000000497A000-memory.dmp

Filesize
1.7MB

Download
memory/2044-70-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-69-0x0000000004790000-0x000000000493A000-memory.dmp

Filesize
1.7MB

Download
memory/2044-72-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-75-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-76-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-77-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-78-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-79-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-80-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-81-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-82-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-83-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-84-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing