laplas | eb7affaaa61c0fa04ab3c31c9e7307116d5cf796aa810102605e7b09f27ffd88

Analysis

max time kernel
138s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb7affaaa61c0fa04ab3c31c9e7307116d5cf796aa810102605e7b09f27ffd88.exe
Size

1.9MB
MD5

a24cfabc78273aa5d5d997e780400416
SHA1

2c8561e6d643225e0ad5e60abdc9516cc499a0c0
SHA256

eb7affaaa61c0fa04ab3c31c9e7307116d5cf796aa810102605e7b09f27ffd88
SHA512

c384c069f8f93222174446162685673e346d8e3804b68fe828b2dc68ae8e8378da18e535e24f0d0f47ea04b8ead0c8e714abb33a3d7a31a697ce5d70532d0ea0
SSDEEP

24576:YhmN/VqDyuURACBQiulRKvXgkllDFuJvimr57RpWwE+yJHXtVplrRSRJKD0pwNN9:YBybR/QKvHoimr9R9IXtVbqKHegv

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
3768	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	eb7affaaa61c0fa04ab3c31c9e7307116d5cf796aa810102605e7b09f27ffd88.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	42	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 3768	696	eb7affaaa61c0fa04ab3c31c9e7307116d5cf796aa810102605e7b09f27ffd88.exe	85
PID 696 wrote to memory of 3768	696	eb7affaaa61c0fa04ab3c31c9e7307116d5cf796aa810102605e7b09f27ffd88.exe	85
PID 696 wrote to memory of 3768	696	eb7affaaa61c0fa04ab3c31c9e7307116d5cf796aa810102605e7b09f27ffd88.exe	85

C:\Users\Admin\AppData\Local\Temp\eb7affaaa61c0fa04ab3c31c9e7307116d5cf796aa810102605e7b09f27ffd88.exe
"C:\Users\Admin\AppData\Local\Temp\eb7affaaa61c0fa04ab3c31c9e7307116d5cf796aa810102605e7b09f27ffd88.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:3768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
819.1MB

MD5
d0dc545bdfe7655a15c2ac6399d32120

SHA1
bd1c6f99526ee4bae834d3ea725d3aa257933004

SHA256
2875d706f01e9e39f80641a726034326af9cee04024984baf018957a5d10e98e

SHA512
68f63628e9fdada9bdffdfb0fc291482fdbb5bb3d60d94ad5281b1d2c3b04797038bbd93d1d415299302e7e1af4790e142a3801a82d3bd2b0194ddd6e619c906

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
826.8MB

MD5
d27488595f5c063fe471a3991a3e9b00

SHA1
f74d8f9f97f78f73bb54e36f3d907f6b0e78982e

SHA256
f9ae23a9dd7b739797d27a846cdcb2bda5f9f4f6458c35e053228bed3b5ddc13

SHA512
0fa8519c60de41b531bb8d4f824a43ec90d9634405e7b762eccc1992dd145ee7061d7ecb5404abe0376a5f73ccc9a95855d9e2723c090fc3596a660010f1b330

Download Submit
memory/696-134-0x0000000004C70000-0x0000000005040000-memory.dmp

Filesize
3.8MB

Download
memory/696-136-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/696-139-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-146-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-144-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-142-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-148-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-149-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-151-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-153-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3768-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download