laplas | 4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399

General

Target

4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe
Size

291KB
MD5

b394b1a5eb564f8b5a0183a93df2738c
SHA1

c00fac71f6e765f494ffe29b29caecef2b8aab0e
SHA256

4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399
SHA512

d17c81164618aaf1356acd1be0e368318714908eae5e7597876f43bbf2a14d0fd33940daa06760702872050014b6934eb9c24731b57e35f217f3bf5bfcaabf28
SSDEEP

3072:rsDxzXNLsAsT5Uf/dIWWkhcIHDvtLRAm56+KdN5RLnHtHnpxL:rgXNLsPTuZWkhcQLW+KdRjNnbL

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe

Executes dropped EXE 2 IoCs

pid	Process
3748	CAEHDBAAEC.exe
1020	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe
1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	CAEHDBAAEC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	1516	WerFault.exe	84

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3516	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	60	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe
1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1104	1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe	87
PID 1516 wrote to memory of 1104	1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe	87
PID 1516 wrote to memory of 1104	1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe	87
PID 1516 wrote to memory of 2816	1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe	89
PID 1516 wrote to memory of 2816	1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe	89
PID 1516 wrote to memory of 2816	1516	4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe	89
PID 2816 wrote to memory of 3516	2816	cmd.exe	94
PID 2816 wrote to memory of 3516	2816	cmd.exe	94
PID 2816 wrote to memory of 3516	2816	cmd.exe	94
PID 1104 wrote to memory of 3748	1104	cmd.exe	95
PID 1104 wrote to memory of 3748	1104	cmd.exe	95
PID 1104 wrote to memory of 3748	1104	cmd.exe	95
PID 3748 wrote to memory of 1020	3748	CAEHDBAAEC.exe	100
PID 3748 wrote to memory of 1020	3748	CAEHDBAAEC.exe	100
PID 3748 wrote to memory of 1020	3748	CAEHDBAAEC.exe	100

C:\Users\Admin\AppData\Local\Temp\4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe
"C:\Users\Admin\AppData\Local\Temp\4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAEHDBAAEC.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\CAEHDBAAEC.exe
    "C:\Users\Admin\AppData\Local\Temp\CAEHDBAAEC.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:1020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4b811d64c45975026725f172b044e20c2f184b831c91ac01e55db69cb6ebf399.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:3516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 2288
  2⤵
  - Program crash
  PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1516 -ip 1516
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAEHDBAAEC.exe

Filesize
1.9MB

MD5
4c4b63ce68fc94e0ecead721488988ea

SHA1
c94627cbb1547f8ff075633c320b503a3404c4bc

SHA256
b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7

SHA512
d0e6e0582d864396e6ffe11e6163af022b442d939c0f093e9aff97b8f6c40014eb3ce12632dcbc9e06262d9e25526ae697ecf27b05ab32b43f85cac7c38b6a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAEHDBAAEC.exe

Filesize
1.9MB

MD5
4c4b63ce68fc94e0ecead721488988ea

SHA1
c94627cbb1547f8ff075633c320b503a3404c4bc

SHA256
b1daa52ebfe977292fa2cda77a76a06ab6ab216c08f1a55924036a2d721086c7

SHA512
d0e6e0582d864396e6ffe11e6163af022b442d939c0f093e9aff97b8f6c40014eb3ce12632dcbc9e06262d9e25526ae697ecf27b05ab32b43f85cac7c38b6a03

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
534.4MB

MD5
b0e4a19f3067cf22ce160feb93b8512a

SHA1
a79169e27f913725a5f12fb098918cef09e4ce05

SHA256
5ff48a942fcd717ab82308eb9ddc3e3f9fca23f9ac24e14b98ad67c468ea6638

SHA512
6a5045e4b48ff11abc92881d310930643ec418627c63ec17c9db111a312f19685c2fbed8db8472fba84d07f8daa9ad864d4cf3c99a725a93215dbb65b7780e0e

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
535.2MB

MD5
40973d38e5af41ed518b4fad9d7e6c65

SHA1
1907e3d2c63dc4ee759b9b86de51fb5e9e809f9d

SHA256
d4e1035bd1d443f9e6d83526a60401357c481116f3d72f7147932501605df3de

SHA512
b0dc9c65084ac3b679e41e3b0c2e06f7fcd5e7816c065e737647d5f9e325695676b1e90b8d308f5e892ccaec361389f52127c89537dd6eb2f00ac4b03378fdcf

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
536.1MB

MD5
1688584da7fe4c021a839322161602e8

SHA1
0fab94d4c4c496add59a7fda70aaf1b11710f3c6

SHA256
c72fa064f9a8b51ff22506f38d2b39282bf4922aa87ae77312a92cafa72e7405

SHA512
98584615bfa5fcf13ebdc17161affd3a978ae37da12b0228b91827b2950c11d3348c2536085fd0542ade2723e9c7f581b4043adf432c567b9eeee9fc89621447

Download Submit
memory/1020-225-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-226-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-221-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-222-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-228-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-220-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-218-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-219-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-230-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-229-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-227-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1020-224-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1516-134-0x0000000002C80000-0x0000000002C95000-memory.dmp

Filesize
84KB

Download
memory/1516-210-0x0000000000400000-0x0000000002AF9000-memory.dmp

Filesize
39.0MB

Download
memory/1516-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3748-214-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3748-209-0x0000000004B10000-0x0000000004EE0000-memory.dmp

Filesize
3.8MB

Download
memory/3748-212-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads