laplas | 33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca

General

Target

33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe
Size

290KB
MD5

0b55cbc503ab5a3920302d06a3d32b5d
SHA1

5d316ed4ac8c03b38524fc01e78e7181ccccbb5b
SHA256

33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca
SHA512

84077405ce5cdad23fde89642281d5d978048f3ad568970e1bff59993ad2c022eaff2a250bfbc0a74fe8c2eea4c68f39bd7d854e4656866b9bf486308b50ae4d
SSDEEP

3072:2nUnLLQo1s4UK/z8B1ed7WUI5RfqmjuO5kAJ5Rf0JhjX:9nLLQeUK/Yed85Rf/kAdfuhr

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe

Executes dropped EXE 2 IoCs

pid	Process
4444	JDGCGDBGCA.exe
3636	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe
3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	JDGCGDBGCA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1792	3712	WerFault.exe	85

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4228	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	33	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe
3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 3384	3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe	89
PID 3712 wrote to memory of 3384	3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe	89
PID 3712 wrote to memory of 3384	3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe	89
PID 3712 wrote to memory of 4924	3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe	91
PID 3712 wrote to memory of 4924	3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe	91
PID 3712 wrote to memory of 4924	3712	33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe	91
PID 4924 wrote to memory of 4228	4924	cmd.exe	94
PID 4924 wrote to memory of 4228	4924	cmd.exe	94
PID 4924 wrote to memory of 4228	4924	cmd.exe	94
PID 3384 wrote to memory of 4444	3384	cmd.exe	95
PID 3384 wrote to memory of 4444	3384	cmd.exe	95
PID 3384 wrote to memory of 4444	3384	cmd.exe	95
PID 4444 wrote to memory of 3636	4444	JDGCGDBGCA.exe	100
PID 4444 wrote to memory of 3636	4444	JDGCGDBGCA.exe	100
PID 4444 wrote to memory of 3636	4444	JDGCGDBGCA.exe	100

C:\Users\Admin\AppData\Local\Temp\33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe
"C:\Users\Admin\AppData\Local\Temp\33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDGCGDBGCA.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Users\Admin\AppData\Local\Temp\JDGCGDBGCA.exe
    "C:\Users\Admin\AppData\Local\Temp\JDGCGDBGCA.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:3636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\33515cdbda7555aa1f75bb2ce9c3d20d4385f026decb2db39d8bc0518e00e8ca.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:4228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 2124
  2⤵
  - Program crash
  PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3712 -ip 3712
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDGCGDBGCA.exe

Filesize
1.9MB

MD5
7a98329de3f1dbd9ca49acf2978acdac

SHA1
47485cd8c37f023d29faba6f85ca45b11a0e8cc5

SHA256
68c1350d42559ba8494a49bcb6c26735c3e66622b92f5dfbee5735a30a9be0d4

SHA512
995dcbd525df216c7c2ec0a6b5ad7bc1a46686e13d9aeecb8ebefaca5558fccafdd6c586f55ec7ebc37b44d5b46c2acf72a108ccee88de66eef2bdd4e3d66e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDGCGDBGCA.exe

Filesize
1.9MB

MD5
7a98329de3f1dbd9ca49acf2978acdac

SHA1
47485cd8c37f023d29faba6f85ca45b11a0e8cc5

SHA256
68c1350d42559ba8494a49bcb6c26735c3e66622b92f5dfbee5735a30a9be0d4

SHA512
995dcbd525df216c7c2ec0a6b5ad7bc1a46686e13d9aeecb8ebefaca5558fccafdd6c586f55ec7ebc37b44d5b46c2acf72a108ccee88de66eef2bdd4e3d66e94

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
571.9MB

MD5
72d96abd8a7799803fab4e65548b0335

SHA1
59a30600e75af3d036be2b47636cb7a445f26187

SHA256
8fdf1d4abcc078691551487d47d7bfca1c091e83c93eedbeb7faa4f8ee2776da

SHA512
9aa023498b594233cdccccc58a3214945783f66e9980247ed5cfabd1321ec3dae1318d2edfaf9b40e444f4eadf92d522bc7e03903b16ece2145434aacccdb207

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
518.6MB

MD5
7f5b384a2d855e27d7c87694a4f75c80

SHA1
23ddb5b08ed87f39fb8da935869e5a5a18e97219

SHA256
92ca8bcfa1c43dbc1aac8b690744d7cda3c99971233b9ac5d0e3af88c5a6b0e0

SHA512
0164e01137dedf184339fb7ca0a3a5c2450256d2d4de2eb7a319310401ecbe45625bdd99cc72175185e150eae948a9d3ed5b86158bd0cde99c067809e311e281

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
555.1MB

MD5
81ba02c2fffdd23be726aa71948ef9d9

SHA1
7c9ccb3d5407ba6e29f7799abcdd274b06574d27

SHA256
778ab3395c948fdcf9c2f8e1493624ec442ae625e9cdb16a0967748e0f67d501

SHA512
14dbb7575654bd58807b1764b1e6771c7ad0fabdd883ac207487b60a8812dcbe149c36aec8f231b6b9335364ac76c39d27360a5c99badaf11ec03a8dea1a8925

Download Submit
memory/3636-221-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-222-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-218-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-219-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-216-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-225-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-214-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-215-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-226-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-224-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-223-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3636-220-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3712-205-0x0000000000400000-0x0000000002AF8000-memory.dmp

Filesize
39.0MB

Download
memory/3712-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3712-134-0x0000000004840000-0x0000000004855000-memory.dmp

Filesize
84KB

Download
memory/4444-206-0x0000000004C50000-0x0000000005020000-memory.dmp

Filesize
3.8MB

Download
memory/4444-208-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4444-210-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads