laplas | 94654f322afbdfdc2d910b89f74f7240fbd30efb90b1890640137287c7620abf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe
Size

1.9MB
MD5

bdd49eb42688886ee312ae57d9d1f654
SHA1

9fa1b8eb6b546d78150324b2303b9425b8f23dc5
SHA256

eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02
SHA512

6bb152f179c781a26107e9f3e2084f2e70fc15835c30d40cfc27d3d354ebb3214851a9cd350f1504b151fa792c5ac8d6290f3b4da5c8839ee3b759766e92a586
SSDEEP

49152:fzmvpQccgreskIaAUgrqgHkrWIF994X5IBY:fzOJtqgHkVoIB

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4364	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	35	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 4364	3184	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe	87
PID 3184 wrote to memory of 4364	3184	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe	87
PID 3184 wrote to memory of 4364	3184	eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe	87

C:\Users\Admin\AppData\Local\Temp\eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe
"C:\Users\Admin\AppData\Local\Temp\eb9e358c4d722aff74cbcf3a4f7c11a69aad1c80e93f52f75ad94d5e4a29db02.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
817.9MB

MD5
5257fedc875af45d0c69b363465cd4f5

SHA1
f5b0c1a44aec3087992dc8b1800240624fc62dfb

SHA256
415a79c58c5ed2694ecaf70bbcdc4bf14bd71f943df422945ab3e8f6e597eeb2

SHA512
e37f6c8aadd465275cff2bf367d10ac5db2824765ccb32981025205b863e1e4e3f31bc8a4edd5d37409395278bcb56daca18d53afa4711286329e24c03ad5938

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
817.9MB

MD5
5257fedc875af45d0c69b363465cd4f5

SHA1
f5b0c1a44aec3087992dc8b1800240624fc62dfb

SHA256
415a79c58c5ed2694ecaf70bbcdc4bf14bd71f943df422945ab3e8f6e597eeb2

SHA512
e37f6c8aadd465275cff2bf367d10ac5db2824765ccb32981025205b863e1e4e3f31bc8a4edd5d37409395278bcb56daca18d53afa4711286329e24c03ad5938

Download Submit
memory/3184-134-0x0000000004E00000-0x00000000051D0000-memory.dmp

Filesize
3.8MB

Download
memory/3184-136-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/3184-140-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-145-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-144-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-142-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-146-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-149-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-151-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-153-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-155-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/4364-156-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download