laplas | bce92b4fc25b7adc0fb8548d57be0fa9c245ccb19491c54b0f7ccaca5fa1c4c5

General

Target

94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe
Size

1.9MB
MD5

9eb001d8fc03b5ac327076e5454c1538
SHA1

fd609a4183d2cb6b1091fcdf4d543ea1b5bc7fda
SHA256

94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a
SHA512

e3822fd0aa77eae9fc06011e888a2164518e436b9e231eb7306997eff7817a15facb250259dcabe629882f5e9fbe0f2aee1128e221ff0f7f1048e6754e443604
SSDEEP

24576:8lnXu/5rLOHsKtiO5LM0GAWYZuTXx7kZ6BZy5A5j5S71Y+/S+a7IeXSLTn14ZoFQ:UXukMAi8BWXzSYOA5j5s1Y+/NuXc14

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2000	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe
2012	94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2000	2012	94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe	28
PID 2012 wrote to memory of 2000	2012	94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe	28
PID 2012 wrote to memory of 2000	2012	94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe	28
PID 2012 wrote to memory of 2000	2012	94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe	28

C:\Users\Admin\AppData\Local\Temp\94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe
"C:\Users\Admin\AppData\Local\Temp\94256992e8423c5410b140dcedc67b0c8dc79f06ded8c2ec83337885aadf870a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
446.6MB

MD5
cabb2aaa194d032b422078c610efb784

SHA1
0cd02e331354a6231a7bb87135bddc33f17cd09d

SHA256
cdb4129dd4f3748cf2b5d3de7b3097b68fa91bddb76b17f80f621f0f14e8629f

SHA512
720f5c12adfe1bb4fc021ec6922e386825512ca9e6886b7539a31bf510219fc45181f8b6a6552a1dcdffbb712fcbb9f1891660e1fff912be08e66751c56c529a

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
474.9MB

MD5
b3fc3586ceb782035ce882c1db032fa6

SHA1
f7921b0c84b79c56d373ca2ffd4af1786c61779e

SHA256
7974bfff6b373ba2d7b4a23f2fa51fdb15561860248376dcb27105d7febe673b

SHA512
a2fcfd02b0cd2e2eb9012ab9d81d4a3ff1440754df47d05fcb102c3bf0057ef45dfc4799e1656a27ef0389289af0fd975b48c281c32e36853612ad2ee3545f6d

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
287.7MB

MD5
0c15b213b69b3eb12d1ce3007a5f096b

SHA1
deef981baaa35fb8fcd46395439762ff28c15494

SHA256
19a4c5ab9ccaa8e4139bee325e3bf4325c77eee02721a2ac555f7913e16c6bbb

SHA512
bb11566059bbcfb91d581ba6e608113b4b7ae2a7cbd90489984e67987716c51ac77387bec1e8abeed254ef8d1e4914841aea10509190924e0f3c3bd7ee8aaabe

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
454.6MB

MD5
0524b838afe107d72c823ba663be0ead

SHA1
e27a309568f4b694c005dd0648ef434c1f09b644

SHA256
8dde02b9bb94ace2eee207d2271089b7e065d2f4b8ed2dc2a88de956b016b3a3

SHA512
0b6465d9d19dc015e493221c6f477cb88dad8cecee6294675d7f25d86407c22f0e3933a440c923cd760b5bc0bb7363ec86c1b5004dbd89aeafd467f753a6fa18

Download Submit
memory/2000-68-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-73-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-80-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-79-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-66-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-67-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-78-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-71-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-72-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-64-0x00000000045E0000-0x000000000478A000-memory.dmp

Filesize
1.7MB

Download
memory/2000-74-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-75-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-76-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2000-77-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2012-54-0x0000000004610000-0x00000000047BA000-memory.dmp

Filesize
1.7MB

Download
memory/2012-65-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2012-55-0x00000000047C0000-0x0000000004B90000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing