laplas | 2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29

General

Target

avicapn32.exe
Size

8.6MB
MD5

8d7cf73ce0624c89820492186e81268e
SHA1

f43f83b11e6e4b850297443a30803f72cef99489
SHA256

2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29
SHA512

2bc53e07e6d5d6b4267430011943824590001d8c341a5ccffb2260fc26fa1693d4a146f27a26a579450f822c5998551dfda50814e0b24d4cba8c903ccd8289cd
SSDEEP

196608:dCFM0/NuKzJqwRCCuNhH8DuSHVKiPxtgDe/3jyAan7Ftnl+6+GVp7:KMMsA3U4t1HDOAI7T7

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.223

Attributes

api_key
afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1344	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1804	avicapn32.exe
1804	avicapn32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	avicapn32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1804	avicapn32.exe
1804	avicapn32.exe
1344	ntlhost.exe
1344	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1804	avicapn32.exe
1344	ntlhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1344	1804	avicapn32.exe	28
PID 1804 wrote to memory of 1344	1804	avicapn32.exe	28
PID 1804 wrote to memory of 1344	1804	avicapn32.exe	28
PID 1804 wrote to memory of 1344	1804	avicapn32.exe	28

C:\Users\Admin\AppData\Local\Temp\avicapn32.exe
"C:\Users\Admin\AppData\Local\Temp\avicapn32.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
468.0MB

MD5
46fe26a8d2fc41726fe7f596b6d9e162

SHA1
a7328a357683b02ed31987faca6ed82d42554a64

SHA256
099cd8c9bc98fe7dacd017fc7fc7150e9a1ecd60316e2d42fc0718443dd29eb6

SHA512
4822cbfeed34669d24c4c59d53a265e232ba8096e1969dc1a3ba2c57790216599ee0e5ddf70b18fcba8bc1c161285307028a0ba6319e9dc01adbb45acf50b820

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
493.2MB

MD5
9fa5a726c02db746a06fe160718218cb

SHA1
c62c59d7b066e02eddeac38108abfe085c6ec5f1

SHA256
65344b6b0ae35cd01ecce04aeee9db219e02bd1fb4df8d21ab029b41320af703

SHA512
891dfd97c08e0a1d25626ebca8015a9aae0c5af21782876d36faf6ed414216aeff5e6f5923702b1c9801dc76efaaf9455eb7db0efa931cc9f252455b18f882c3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
463.7MB

MD5
ff4d911c639b36fb7c34d4ebbde4ca99

SHA1
6f0980e8af95364ad98f50d7542fab87e7666836

SHA256
749bc2d74751369b4ee1f99bd2ac06223dbcbfd4e836f756826256b70f6633b2

SHA512
6245b9c43891fb3fc14f5f419d73bdb006a3c039d4d9769267ee9968a9b813fafd86b6d6e187c4ba6316377448a42069158d6fe9cc6736d0f0d62a1df389918e

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
420.3MB

MD5
5c10584c3d3842705afa32a500b76f5e

SHA1
5851ccd77432fd76850b5c34eb75a42b20fd2958

SHA256
60b0d99df3d033641ad23529f1a24863f560500e6fb01b587d532a6962219e17

SHA512
0d22af8bef6236ff1f318e9c71008fc340aa303af4029493afe2d3bf7919c5a0eae172edca6f578af58a0fdabadf3cccdabe1820c9f48d03a6a71e4fa4d3bf79

Download Submit
memory/1344-85-0x0000000000230000-0x0000000001157000-memory.dmp

Filesize
15.2MB

Download
memory/1344-84-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1344-96-0x0000000003380000-0x0000000003783000-memory.dmp

Filesize
4.0MB

Download
memory/1344-95-0x0000000003380000-0x0000000003783000-memory.dmp

Filesize
4.0MB

Download
memory/1344-94-0x0000000003380000-0x0000000003783000-memory.dmp

Filesize
4.0MB

Download
memory/1344-88-0x0000000003380000-0x0000000003783000-memory.dmp

Filesize
4.0MB

Download
memory/1804-69-0x0000000000EE0000-0x00000000012E3000-memory.dmp

Filesize
4.0MB

Download
memory/1804-77-0x0000000000EE0000-0x00000000012E3000-memory.dmp

Filesize
4.0MB

Download
memory/1804-57-0x00000000013B0000-0x00000000022D7000-memory.dmp

Filesize
15.2MB

Download
memory/1804-56-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1804-54-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1804-55-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1804-59-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1804-60-0x0000000000EE0000-0x00000000012E3000-memory.dmp

Filesize
4.0MB

Download
memory/1804-68-0x0000000000EE0000-0x00000000012E3000-memory.dmp

Filesize
4.0MB

Download
memory/1804-67-0x0000000000EE0000-0x00000000012E3000-memory.dmp

Filesize
4.0MB

Download
memory/1804-66-0x0000000000EE0000-0x00000000012E3000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing