laplas | 4bb575fa434480978c50ef8455786b94f1bbaffb4186a4e08379fa550ec9aeea

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2023 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bb575fa434480978c50ef8455786b94f1bbaffb4186a4e08379fa550ec9aeea.exe
Size

1.9MB
MD5

7e897816bfd13b9ea1d97aa419ee4a04
SHA1

c0b234e1c3bbb582fc738b2760ae53ffea404f03
SHA256

4bb575fa434480978c50ef8455786b94f1bbaffb4186a4e08379fa550ec9aeea
SHA512

94dfb74f2101437165eef30b8f067ac977ec16cc270b42e2dd24fd7e7d56c94b8572685f5aab71ff124bf220361246c3c4f148349e2a8e953d7a731a4b740529
SSDEEP

49152:eNs+8DCEmGEwFUDArdOxhXccs2YGBCsGI:eNsgEmGPWAmhuRGgI

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4236	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	4bb575fa434480978c50ef8455786b94f1bbaffb4186a4e08379fa550ec9aeea.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	41	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4236	4696	4bb575fa434480978c50ef8455786b94f1bbaffb4186a4e08379fa550ec9aeea.exe	90
PID 4696 wrote to memory of 4236	4696	4bb575fa434480978c50ef8455786b94f1bbaffb4186a4e08379fa550ec9aeea.exe	90
PID 4696 wrote to memory of 4236	4696	4bb575fa434480978c50ef8455786b94f1bbaffb4186a4e08379fa550ec9aeea.exe	90

C:\Users\Admin\AppData\Local\Temp\4bb575fa434480978c50ef8455786b94f1bbaffb4186a4e08379fa550ec9aeea.exe
"C:\Users\Admin\AppData\Local\Temp\4bb575fa434480978c50ef8455786b94f1bbaffb4186a4e08379fa550ec9aeea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
742.9MB

MD5
08cc019915a72e35d643a3dc84134bee

SHA1
c416d1ba2cabb21ddd4bd4eb57a6cdcece9949a1

SHA256
1c0ec45e8b32321b50f1c32e8543d21ed8fa72ae6fec3fdd74bbc12b94144696

SHA512
022829c7e120dc5120e37019352bf91f7f0b6d26ab8b798735f935dae82c000f4e35b827795b694f06120b71b71c19434c2534a54fba4c6814b95f41ad14f958

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
742.9MB

MD5
08cc019915a72e35d643a3dc84134bee

SHA1
c416d1ba2cabb21ddd4bd4eb57a6cdcece9949a1

SHA256
1c0ec45e8b32321b50f1c32e8543d21ed8fa72ae6fec3fdd74bbc12b94144696

SHA512
022829c7e120dc5120e37019352bf91f7f0b6d26ab8b798735f935dae82c000f4e35b827795b694f06120b71b71c19434c2534a54fba4c6814b95f41ad14f958

Download Submit
memory/4236-148-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-149-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-157-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-142-0x0000000004B20000-0x0000000004EF0000-memory.dmp

Filesize
3.8MB

Download
memory/4236-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-144-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-145-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-156-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-155-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-151-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-153-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4236-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4696-136-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4696-134-0x0000000004CC0000-0x0000000005090000-memory.dmp

Filesize
3.8MB

Download
memory/4696-141-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download