laplas | 4fbb0bcbc6baaba9f3e438708a4c2d2091489b5ff42bc10bf7d07721597feec0

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fbb0bcbc6baaba9f3e438708a4c2d2091489b5ff42bc10bf7d07721597feec0.exe
Size

1.9MB
MD5

828e5145c076da94aefc34bac1a4fdc3
SHA1

433e55b78f47f956a78b3ad51d2162468e2d277f
SHA256

4fbb0bcbc6baaba9f3e438708a4c2d2091489b5ff42bc10bf7d07721597feec0
SHA512

ad516843e7c287af9a6aed41a987eb059ea191836687219e5fde75069f43bf8318d1cb3dd25df32797fa9cf6a4c5525af60d46b00d63c838eb5704f8649ab85b
SSDEEP

49152:GtP4k4khOWUXGLuK2fj06WbCMq7ekzO9T:GFLwXEuK2fjSbdkz

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
3364	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	4fbb0bcbc6baaba9f3e438708a4c2d2091489b5ff42bc10bf7d07721597feec0.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	32	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3364	2880	4fbb0bcbc6baaba9f3e438708a4c2d2091489b5ff42bc10bf7d07721597feec0.exe	85
PID 2880 wrote to memory of 3364	2880	4fbb0bcbc6baaba9f3e438708a4c2d2091489b5ff42bc10bf7d07721597feec0.exe	85
PID 2880 wrote to memory of 3364	2880	4fbb0bcbc6baaba9f3e438708a4c2d2091489b5ff42bc10bf7d07721597feec0.exe	85

C:\Users\Admin\AppData\Local\Temp\4fbb0bcbc6baaba9f3e438708a4c2d2091489b5ff42bc10bf7d07721597feec0.exe
"C:\Users\Admin\AppData\Local\Temp\4fbb0bcbc6baaba9f3e438708a4c2d2091489b5ff42bc10bf7d07721597feec0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
714.9MB

MD5
137ff3ddee8b7e6cc2bdc0e62af97705

SHA1
051a3b52cd9c00b3ceb17ac4a985a9075784166c

SHA256
5f6e5b116e55ca059fa3cae3107231c68be7f1f8675090b62cb7fd8ae09b6bcd

SHA512
3215e835d6707819d7f626d2fecaaa4cc71a2c93e162ca2ffa21a1a4ca3bf0a3a4f5b2dd56a1c8f18beeb2d181b7e2fa493b696ff5b482f76be1a2fc29171776

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
714.9MB

MD5
137ff3ddee8b7e6cc2bdc0e62af97705

SHA1
051a3b52cd9c00b3ceb17ac4a985a9075784166c

SHA256
5f6e5b116e55ca059fa3cae3107231c68be7f1f8675090b62cb7fd8ae09b6bcd

SHA512
3215e835d6707819d7f626d2fecaaa4cc71a2c93e162ca2ffa21a1a4ca3bf0a3a4f5b2dd56a1c8f18beeb2d181b7e2fa493b696ff5b482f76be1a2fc29171776

Download Submit
memory/2880-134-0x0000000004C00000-0x0000000004FD0000-memory.dmp

Filesize
3.8MB

Download
memory/2880-139-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-151-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-156-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-145-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-141-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-159-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-160-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-162-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-164-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-166-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3364-168-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download