laplas | 3e08199217335ec183db9fd5eb80c628a4b80a8fa21af1cf0df85ed8ed872f16

Analysis

max time kernel
148s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e08199217335ec183db9fd5eb80c628a4b80a8fa21af1cf0df85ed8ed872f16.exe
Size

1.9MB
MD5

d8aeb228901b4dd3f476ea6b4028193e
SHA1

b164fafa4c10ed2f159b85221dadb1fa711b4be5
SHA256

3e08199217335ec183db9fd5eb80c628a4b80a8fa21af1cf0df85ed8ed872f16
SHA512

7e021c9d3d49fed34692e16461a2094cdee1d13bb66c083c7db51a6988b53a1d56cc6eacba2da1cf1b204c1dd95d979db5306ec78bae5cd73f15dcc7e4a4fa1f
SSDEEP

24576:8Q2d/KkSGgByexJk3RBZ6XkvhMp/zIPQn1Z3jVsMA1+hjZl7cp0LZ1kuy+GSAUbQ:8Qw/KkUsSk30qhMZzltNW01G0KUSxJ

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
3444	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	3e08199217335ec183db9fd5eb80c628a4b80a8fa21af1cf0df85ed8ed872f16.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	40	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 3444	4532	3e08199217335ec183db9fd5eb80c628a4b80a8fa21af1cf0df85ed8ed872f16.exe	86
PID 4532 wrote to memory of 3444	4532	3e08199217335ec183db9fd5eb80c628a4b80a8fa21af1cf0df85ed8ed872f16.exe	86
PID 4532 wrote to memory of 3444	4532	3e08199217335ec183db9fd5eb80c628a4b80a8fa21af1cf0df85ed8ed872f16.exe	86

C:\Users\Admin\AppData\Local\Temp\3e08199217335ec183db9fd5eb80c628a4b80a8fa21af1cf0df85ed8ed872f16.exe
"C:\Users\Admin\AppData\Local\Temp\3e08199217335ec183db9fd5eb80c628a4b80a8fa21af1cf0df85ed8ed872f16.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:3444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
812.9MB

MD5
2035c8358747050ccf54dd31f44943a5

SHA1
5efdb8aead737d0767ade7540bf33eaf9941ff6d

SHA256
d9c35c156df8d45a0da649f49fbdd60756df123c1bd3ce8f8f998912bbfc4f2e

SHA512
189afb295e7f5c7150a01e6ace52cd37b20d44030fa6b14108a68bdbe38e475cea708820a933b50da41e13cbbe7fabbc533b7dcd54ae2dc4e02222472dcc7bc3

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
812.9MB

MD5
2035c8358747050ccf54dd31f44943a5

SHA1
5efdb8aead737d0767ade7540bf33eaf9941ff6d

SHA256
d9c35c156df8d45a0da649f49fbdd60756df123c1bd3ce8f8f998912bbfc4f2e

SHA512
189afb295e7f5c7150a01e6ace52cd37b20d44030fa6b14108a68bdbe38e475cea708820a933b50da41e13cbbe7fabbc533b7dcd54ae2dc4e02222472dcc7bc3

Download Submit
memory/3444-157-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-167-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-145-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-165-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-156-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-164-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-159-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3444-162-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4532-134-0x0000000004D50000-0x0000000005120000-memory.dmp

Filesize
3.8MB

Download
memory/4532-136-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4532-141-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download