laplas | 94654f322afbdfdc2d910b89f74f7240fbd30efb90b1890640137287c7620abf

General

Target

eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe
Size

1.9MB
MD5

bdd49eb42688886ee312ae57d9d1f654
SHA1

9fa1b8eb6b546d78150324b2303b9425b8f23dc5
SHA256

eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02
SHA512

6bb152f179c781a26107e9f3e2084f2e70fc15835c30d40cfc27d3d354ebb3214851a9cd350f1504b151fa792c5ac8d6290f3b4da5c8839ee3b759766e92a586
SSDEEP

49152:fzmvpQccgreskIaAUgrqgHkrWIF994X5IBY:fzOJtqgHkVoIB

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2024	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe
2040	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2024	2040	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe	28
PID 2040 wrote to memory of 2024	2040	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe	28
PID 2040 wrote to memory of 2024	2040	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe	28
PID 2040 wrote to memory of 2024	2040	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe	28

C:\Users\Admin\AppData\Local\Temp\eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe
"C:\Users\Admin\AppData\Local\Temp\eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
506.6MB

MD5
aa4b111b905728cf46eff3f6365e10f6

SHA1
b3ca654612a0f45b19f0494d938215b423538cb6

SHA256
e090f9f0f0dae937329af92abb45c0dafe6c3b542e73e758dec3a4252e9388e4

SHA512
8fd8290c0e365ef3e2af1816aca60e49bf40b1c1a4a24d2edbc03004dbae3a4f9305f0a0af2d4e406de5b70626fc69b8ff2ad3d0f3798f208ba84efdbdd77119

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
504.9MB

MD5
4a53766696d1000037356761d5995dc7

SHA1
0db346ae996525aac2798f25c0581dd8a85e0649

SHA256
4aa74a43854c3333de8d43186a41ba6dc4ce58796973a53de3e2d349c0172a5a

SHA512
7f908d78b908e5a2c3524597f1461d8a37d97e0c3bf07ccfa504a6ed9d649c745a9320f7e7fb179fcaea974d6376c57e292895ec2071e622109414c5821c14c4

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
310.4MB

MD5
58df2e5142ecaad72742c443eaf19d26

SHA1
c60ebcb121293b38c01e73b21df0e8c7b14b1774

SHA256
106eab2fdd6d9fc992f2ae87d753b1c7cf3b8879a296ac7f8baf3ad4e389a504

SHA512
91f152db9ae15dbc8f527cb335b5afe6b9e7a4b5b2282484fe1446e0b2c5e846ba173fda14fdf80a7e3610a3c9b290683db2f4d712c4b7d2af32ac43c29261be

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
537.8MB

MD5
6ba80e2d4d76495d6424e7d343f13da1

SHA1
b527502f4316928fa517ecd2cdf500cfba83986e

SHA256
ff31de13c7de594e4a5de6cfbcdd01f42a887ed7715e6316cbcdb04ad2e12646

SHA512
62476ef7f1af0f7f0c04dc082636fc6174f854575ad9288a5bbe028a4530ed21532699618aa41eb5c94de4612e4d364644d3b86e675b55bf8cf89dfb21e8ed09

Download Submit
memory/2024-71-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-72-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-80-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-79-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-66-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-70-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-78-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-64-0x0000000004600000-0x00000000047AA000-memory.dmp

Filesize
1.7MB

Download
memory/2024-73-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-74-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-75-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-76-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2024-77-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2040-54-0x0000000004670000-0x000000000481A000-memory.dmp

Filesize
1.7MB

Download
memory/2040-65-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2040-55-0x0000000004820000-0x0000000004BF0000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing