laplas | a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2023, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe
Size

1.9MB
MD5

9168ec28d42b59ac24e152d107de761f
SHA1

a6e74e0c2f4f85472aa6734b347743d8e187056d
SHA256

a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d
SHA512

1bf72d0f663ed83c27eb3986457695ed61a143e53a74eaf39586d2ec7d27e2bc288ae2ec1671e911ee714625607a09b19fd5d909e1338bd26020e546872d3f54
SSDEEP

49152:+K/LohE2B47+2T1Uyd7wIUUXbp9u6eXLvVTs3CJVO:+wsdmL1dwIUUX7deXLxDO

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
3944	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	21	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 3944	820	a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe	85
PID 820 wrote to memory of 3944	820	a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe	85
PID 820 wrote to memory of 3944	820	a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe	85

C:\Users\Admin\AppData\Local\Temp\a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe
"C:\Users\Admin\AppData\Local\Temp\a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
656.2MB

MD5
e6908814b223b4cd087c853bcab796d6

SHA1
fd19ef0e7dcd64d7d90eb741684c62f7a563c4fb

SHA256
1c14d8671e3ef0a766dd17174ae4ccbd3d583d13ad1803d4ba04df85c2d164d7

SHA512
aa1d7e6826f7b79deec4e6c44fbfba1121f14a01b800379054cfaa6b477e6a8fb0724de33808f144b7a9f1d9e2c3a106d4bea7566ef899ae17b1604a05847515

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
606.2MB

MD5
74dd81e535100a7774dacfe4a2e8c761

SHA1
0f0f95c20e436130720af7b7e076c85758c483f4

SHA256
7eb16d1ccc4e83c4326c4ecf4acb7852c8dccbb1c8ae6997b1f319e53fb11a3d

SHA512
503254c13dd1170b3acc6ccbd2bc34402ed7b7d080845bad6621a5db92499492e1e387c9ef35ce586f57fc41036e96c8b4901a809547973fff47d75539dcfb43

Download Submit
memory/820-134-0x0000000004C30000-0x0000000005000000-memory.dmp

Filesize
3.8MB

Download
memory/820-135-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/820-137-0x0000000004C30000-0x0000000005000000-memory.dmp

Filesize
3.8MB

Download
memory/820-140-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-145-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-144-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-148-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-149-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-151-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-153-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3944-155-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download