laplas | aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892

General

Target

aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe
Size

330KB
MD5

303d02e6001fe7b563765c812c860f2f
SHA1

ab8a49810c82a1a709a8ab9316d13d1033a95347
SHA256

aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892
SHA512

b9b7d078bb46cbdb4ce7ada90246b11f3a54070881a78daabc0156c89d530460ebe8b163d31c87259a377f57e10eb24856f9312db70a872bd27601cd5345fe06
SSDEEP

3072:X6flsJI1iLBb7lcMXs/OScEDO8veYEvCKAIvEjJnKDRVNtxvkJH:qfMI1iLJ7lQ/3zxVMMIvx31MJH

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe

Executes dropped EXE 2 IoCs

pid	Process
832	DAFIEHIEGD.exe
4920	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe
3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	DAFIEHIEGD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	3040	WerFault.exe	85

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4344	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	48	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe
3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4444	3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe	86
PID 3040 wrote to memory of 4444	3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe	86
PID 3040 wrote to memory of 4444	3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe	86
PID 3040 wrote to memory of 1740	3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe	88
PID 3040 wrote to memory of 1740	3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe	88
PID 3040 wrote to memory of 1740	3040	aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe	88
PID 4444 wrote to memory of 832	4444	cmd.exe	91
PID 4444 wrote to memory of 832	4444	cmd.exe	91
PID 4444 wrote to memory of 832	4444	cmd.exe	91
PID 1740 wrote to memory of 4344	1740	cmd.exe	92
PID 1740 wrote to memory of 4344	1740	cmd.exe	92
PID 1740 wrote to memory of 4344	1740	cmd.exe	92
PID 832 wrote to memory of 4920	832	DAFIEHIEGD.exe	100
PID 832 wrote to memory of 4920	832	DAFIEHIEGD.exe	100
PID 832 wrote to memory of 4920	832	DAFIEHIEGD.exe	100

C:\Users\Admin\AppData\Local\Temp\aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe
"C:\Users\Admin\AppData\Local\Temp\aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe
    "C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:4920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:4344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 2108
  2⤵
  - Program crash
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3040 -ip 3040
1⤵
PID:3248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe

Filesize
1.9MB

MD5
87b5057f44c2a25338f03f6ba10358ad

SHA1
b8d68c22a48b7b1dabecf2d0cb830392291e3cab

SHA256
de7320a71b9a0de261be6f7a8d36a6f13c3989681bb98627bc169d0e3f3c76eb

SHA512
2c6463eb46b6f2f263beb3601bdf909f7dfb24c4b1b0cb5dd6f19777ae703d7daa84c483e575ffce2792751925668afb6bf4bf0bd2f7e0898f057900eb4b9367

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe

Filesize
1.9MB

MD5
87b5057f44c2a25338f03f6ba10358ad

SHA1
b8d68c22a48b7b1dabecf2d0cb830392291e3cab

SHA256
de7320a71b9a0de261be6f7a8d36a6f13c3989681bb98627bc169d0e3f3c76eb

SHA512
2c6463eb46b6f2f263beb3601bdf909f7dfb24c4b1b0cb5dd6f19777ae703d7daa84c483e575ffce2792751925668afb6bf4bf0bd2f7e0898f057900eb4b9367

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
451.6MB

MD5
28e99f601f6defa2d7297866325ace82

SHA1
22a18c17f91373dc0544ad465601cccd93d4372d

SHA256
3e00e56fb457ae4764cdee095ff1c632c7dac84a182e741fe2ddb60ac8328e93

SHA512
d8f34cda5a8cf6d4aca95520185ce0351b1b7051a42d5f084464766053278979a22d94a0def97fd95f9fb0e6cce8dcf6fa1bb20e3acb25e19c4da0ad3aaf1176

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
429.0MB

MD5
4107373dd5f89431ef7fad5e8bf562ec

SHA1
9688410cb578330d22f634203840adb9ddbbd0db

SHA256
2786b938bcf5ccd35fa4bce15f56184d7aea04d4c1a7b3748ffb2e9e7e9bd7f4

SHA512
b01384aec5612db9a16d7599beef08ce96e214fef71cd612587d6d797f69d0aebf616c0d76f047520249b1856ed7a172923f446a49635f2434673b874b968439

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
427.8MB

MD5
29c77471b3629d47aeea979aa1c0fc47

SHA1
a12473c5013c79c23a59bc98e189580547fada9c

SHA256
247550f014cd786ddfff6492da949f8d6eb6a2ab120269d2b5a2fe11e9cd7a7d

SHA512
c0f9dbb00ad3f5ac743d0902f508bc16a242a762fa5c90f6753b03439ac7dd84b82525a2a8a14cd028d308a36e8bed8237487a2eacf8e7352cbbad6662c420c9

Download Submit
memory/832-216-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/832-213-0x0000000004AC0000-0x0000000004E90000-memory.dmp

Filesize
3.8MB

Download
memory/832-219-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/3040-214-0x0000000000400000-0x0000000002B02000-memory.dmp

Filesize
39.0MB

Download
memory/3040-138-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3040-137-0x0000000002DA0000-0x0000000002DB5000-memory.dmp

Filesize
84KB

Download
memory/4920-224-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-223-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-222-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-225-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-226-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-227-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-228-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-230-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-231-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-232-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-233-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-234-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download
memory/4920-235-0x0000000000400000-0x0000000002C97000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads