laplas | 1055458a8ee3ee7724fd82ca27387523cb1d0d1733ac8cceaf99fab47e35d105

Sharing

Copy URL

Twitter E-mail

General

Target

add_attack.zip
Size

20.4MB
Sample

230319-rkm3kagf86
MD5

580e4b67d15856343fdf60ad011da65c
SHA1

c40ffb955bee114d87bfc7306a0271e31c9e7347
SHA256

1055458a8ee3ee7724fd82ca27387523cb1d0d1733ac8cceaf99fab47e35d105
SHA512

2d5adc8d3146a6de809c79c9de59db4cf12209cda1bdc059339d330a47da4e0347fc0205df4c81456909e34464959c6a2c4362b8bfdcaa8b9288e5505d156ef6
SSDEEP

393216:e+j0yu69ioV7WtMGJFVJzYooRWgaMoU/Y/X1X+CQ821nFEpqpSQVL:LoErGJhUPWeoX1g821F3N

Score

10^/10

Malware Config

Extracted

Family

laplas

http://185.106.92.104

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

- Target
  
  add_attack.zip
- Size
  
  20.4MB
- MD5
  
  580e4b67d15856343fdf60ad011da65c
- SHA1
  
  c40ffb955bee114d87bfc7306a0271e31c9e7347
- SHA256
  
  1055458a8ee3ee7724fd82ca27387523cb1d0d1733ac8cceaf99fab47e35d105
- SHA512
  
  2d5adc8d3146a6de809c79c9de59db4cf12209cda1bdc059339d330a47da4e0347fc0205df4c81456909e34464959c6a2c4362b8bfdcaa8b9288e5505d156ef6
- SSDEEP
  
  393216:e+j0yu69ioV7WtMGJFVJzYooRWgaMoU/Y/X1X+CQ821nFEpqpSQVL:LoErGJhUPWeoX1g821F3N
Score

10^/10

evasion persistence spyware stealer trojan laplas clipper
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  add_attack/Slava.exe
- Size
  
  13.9MB
- MD5
  
  1fa21564b4463aa7a564a20fa00dafba
- SHA1
  
  44d44ad94ede70ae8bdf75ea18660911f5a22915
- SHA256
  
  f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9
- SHA512
  
  2467c316ca826f757c0eae92a295ac9e3d4cde38936f480fdbaea1fbaa933c298c4d3ac7ca361f20c246c768591f02b8a6c18c4064780803585d1b7cbf914abf
- SSDEEP
  
  98304:Z8orC0paqIwP+g/pkrubbwibwHyEe/4/I3eFTF:CExaqvP+0pkruwKw/P/I
Score

7^/10

spyware stealer
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral3 behavioral4
- Target
  
  add_attack/cockkieeAC.exe
- Size
  
  13.9MB
- MD5
  
  50f31873c5df2e169f1ec5ebab8ba2c3
- SHA1
  
  43dfd3859c1763ced1eee0d0ea934a76aaa0fd4e
- SHA256
  
  adcf0ee814651b8a561d827d7ecc7a9aee660a950511c1ffae7d16f426f8de14
- SHA512
  
  f5e408bcab7318edc079d553000f1110c0376ed1a0e11360280c99ec416a588d19ab5a0ed2ae33abc9746f7974d2f6c6c2ed53bca8fc51c890b813b9db9251ca
- SSDEEP
  
  98304:S1FHdnwJ2Sb6Jax44M8jeOsoyE2/4zxBgtydeIcj:2ZxwJXb6i4MjnsgnzxKB
Score

7^/10

spyware stealer
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral5 behavioral6
- Target
  
  add_attack/goland.exe
- Size
  
  2.6MB
- MD5
  
  fc6d40512829e36687854cb0118a5a1e
- SHA1
  
  cf801f9dad93b5ebbcef79b093b034b45aa75a1e
- SHA256
  
  58c0d2f945207a56f5baefbb320d7ddbd01089205025de05133db173281e65e2
- SHA512
  
  8545d6e56ab77e28e416b013a2836307616d8c00dc26216c35fba8bc1ec0b8c8503f8d7cb55e8dd1d5aaa08875e9172f7259082a4f6756c4722be9c4e3f96e6f
- SSDEEP
  
  49152:6EE4S6KbgMczZ3kXz64kU4r6mN2udLglBA9iHZN9OXOMbK:VEV6Kbmhkj14rzUMnibX
Score

9^/10

evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  add_attack/neee.exe
- Size
  
  7.3MB
- MD5
  
  99f16ab6ab670935b5aa5c84b1b5f6bd
- SHA1
  
  59f375481cdfe246d1ddcaada9941e16dcfda297
- SHA256
  
  348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
- SHA512
  
  845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
- SSDEEP
  
  196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1
Score

10^/10

laplas clipper persistence stealer
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Deletes itself

Reads user/profile data of web browsers

Deletes itself

Reads user/profile data of web browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Laplas Clipper

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10