laplas | d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f.exe
Size

1.9MB
MD5

d8c99c5dd392f68fc5b546dfd9020e0f
SHA1

b157ece3c88b5a58d6ecc59d56db1dd08fe8cfe1
SHA256

d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f
SHA512

961c2f0ef15858aaf1b02eba93da79b9c8c00c3cb34ef5d63fdefe565ceed47739a4d4e604347e2d71e9ad18a6a01064bc3534b805abf248b96373c9f8a7def2
SSDEEP

49152:s+9ZdXslj/Znw1ldQvMM+shYgswP4rsgevHfr6p+UGU:ssdXslj/ZioNh5pPgCj6p+Uf

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
5016	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	20	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 5016	1944	d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f.exe	86
PID 1944 wrote to memory of 5016	1944	d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f.exe	86
PID 1944 wrote to memory of 5016	1944	d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f.exe	86

C:\Users\Admin\AppData\Local\Temp\d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f.exe
"C:\Users\Admin\AppData\Local\Temp\d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
550.4MB

MD5
3f8209ef6a13d87fafc4199ea00437e8

SHA1
c38d839552f429ba362bfebcae265f8fb71e0dd3

SHA256
9afc3ce8a3d0aea62f5b4238877905479ab3d15b793dbd5e43a3f4806b47ff0d

SHA512
cfeaf3e5cb58eaf0b937344f9364dba132c8ef2db106ea71f494f0fbb91e8e84d745948598f3d4b7faab722b66d400e85b10d870b286e5e219a3b7de772e2b5f

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
514.8MB

MD5
c54b6534655fa1a1fd2dded305ff5ab0

SHA1
12d9a823d3c5ec5e7ec25a5704b6f37ee4e650b8

SHA256
ed516c238f9d9a7abfa25d7b8a609c0be504d6d5056e348efe49df4ad546357d

SHA512
fef9dafe190962c039313452f1458530b440b6497fc113961e260d039eaf4d70656618278c31e162ae78b88b5e3d431254100a20a8e8665211dda0431edec9bc

Download Submit
memory/1944-134-0x0000000004CB0000-0x0000000005080000-memory.dmp

Filesize
3.8MB

Download
memory/1944-136-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1944-139-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-146-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-143-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-145-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-142-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-147-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-148-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-149-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-150-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-151-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-152-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-153-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-154-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/5016-155-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download