laplas | b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7.exe
Size

1.9MB
MD5

4c4b63ce68fc94e0ecead721488988ea
SHA1

c94627cbb1547f8ff075633c320b503a3404c4bc
SHA256

b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7
SHA512

d0e6e0582d864396e6ffe11e6163af022b442d939c0f093e9aff97b8f6c40014eb3ce12632dcbc9e06262d9e25526ae697ecf27b05ab32b43f85cac7c38b6a03
SSDEEP

24576:KMU26uH4Wv5IJot6Y6TxwdWJYGyLIXzb68kbAuFee6G8OG8AlC9XT85o4+FqvEl3:KLUvkGMtMGyLIXz+VmG8OvAleT8/g

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4460	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	43	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 4460	2452	b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7.exe	92
PID 2452 wrote to memory of 4460	2452	b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7.exe	92
PID 2452 wrote to memory of 4460	2452	b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7.exe	92

C:\Users\Admin\AppData\Local\Temp\b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7.exe
"C:\Users\Admin\AppData\Local\Temp\b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:4460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
626.5MB

MD5
440d6d7c664942945208514806b229e2

SHA1
254e87d3811e2c78fccc67ae40221ff6d85d62e0

SHA256
a198364104db64e2ff75d203ac4aa23a35d84baaf989783e725a67d3a6a46e72

SHA512
4550377d09ab0534870d2eda72f55075228cc1d07ad6e7eaf739a13c40a121f96948fc903cc506b0bd7d80c60bc52cfbda44502620009396de77e8951f13dcbb

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
605.9MB

MD5
460f6e7bf30cab693f06621a0943873f

SHA1
0f2cf7e6f885c6b9d8c1604bb9192d8a8b0a3e57

SHA256
7406e40781d9039844c56865f25b9e13abd5922d97806345cf96b5443a0ac2e9

SHA512
48b6b7aee2b11589491938dc6d151f6216f1a0f02cd97b58f2c629bef2c84b16ca63670aa5f3b8ad544877ba00c9ad61823239288ae1979714d786996e458001

Download Submit
memory/2452-134-0x0000000004BC0000-0x0000000004F90000-memory.dmp

Filesize
3.8MB

Download
memory/2452-136-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2452-140-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-146-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-144-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-142-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-148-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-149-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-151-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-153-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-155-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4460-156-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download