laplas | 9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5

General

Target

setup.exe
Size

1.8MB
MD5

94ce1cdbccb31d0993990d8a5fbd34d8
SHA1

392bb3736fe7b5e45f808f69097ae422ebc5c018
SHA256

9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5
SHA512

2525b7ac471490b61ab425c81c85956de1ff8d2a97787e95341bbd0f2047521183533495005eeefc427a30ec979e36421533696ecb7dadade57c13881294d7ab
SSDEEP

49152:rzmvpQccgreskIaAUgrqgHkrWIF994X5IBYr:rzOJtqgHkVoIB

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1944	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1960	setup.exe
1960	setup.exe
1944	ntlhost.exe
1944	ntlhost.exe
1944	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1944	1960	setup.exe	27
PID 1960 wrote to memory of 1944	1960	setup.exe	27
PID 1960 wrote to memory of 1944	1960	setup.exe	27
PID 1960 wrote to memory of 1944	1960	setup.exe	27
PID 1960 wrote to memory of 1944	1960	setup.exe	27
PID 1960 wrote to memory of 1944	1960	setup.exe	27
PID 1960 wrote to memory of 1944	1960	setup.exe	27

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
190.2MB

MD5
124931bc8f14a8078d6ccd05e1d62928

SHA1
d2546f4364e78e4aa1914a09680943ded3a1d918

SHA256
8f235f0fc991f26259b48231cd15405a1e77c6e189f13ae4d51d36517be67352

SHA512
34b6c22b7b5e877de2a7e53fe4a9bf5c2afd65bf5b17ae56fbee4b61fe5c717f605930e845660f4dc466e795d982fdfc757e1e9ac1c4d55069ac11075c936530

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
187.2MB

MD5
6fe678853fee8ad303f21d49157d7387

SHA1
320902f4434b0e458f3f22f213c87654a2c05f57

SHA256
35e47701ed0e716d1b9b13ea3797d000627f74e918a12f401fe05230ad32289f

SHA512
334dc9c7ee7f932ffa9cfae0bfe021439460a715ce3239c116f8e308083a2b338a3839e74a30e5e6d86e8c2961d381ffde936186d56ce5b54192e3eb91a6f800

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
172.3MB

MD5
ec14f82ab62b28923dc09e8bbe9fc1c7

SHA1
cd9b8aa780354dc82b5e0cffb35f961ea61708cd

SHA256
6b948345e7d2c09087d49480ffed3e197fff88d7673fdebbc1c70958f6d01f3e

SHA512
ab3b0a3c0935a2888cd5f39354ee57755b37f7b72732f17c1ffe43fef89094c06e2eb03685bdf4c74505d670898292299cac50d7ea11acb391de085b1ed1013c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
111.1MB

MD5
4dde8126c8e2b01fe8d0a28673a8c6c0

SHA1
2b6e859aff298d86c880866988804a735a6436e8

SHA256
ac0c655843c4429f9711e8bfe819888b0f4b642655d77d308acd3b55479c744c

SHA512
e88b21a1645d070c3908cefbbfbe85743fbb2a7b46b070c798ddba47919b7e09dfb009f8538a64541a5da9b150c610df7debcfc590b719b52ee54e029d160816

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
189.8MB

MD5
c711feff96aef2966145de74f89fda68

SHA1
ee9750e4439741d110c3603d06ae89af420fd1ac

SHA256
ab23476a1507b7cf50a48d753796672628beaada201f647c1509ad6cf47f8554

SHA512
14cc0373642c6c46e19b4f98ed3235a63cdd2d88ed8deda30ca8b42102b4b8e017854960a6f25fced526433210dd8c13cdc9eb77e021e59dbd3b84eacdb7a72b

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
191.4MB

MD5
cbef66589b3e3a906f6dba3dfd909604

SHA1
37caa85c8fe0fd451c9ff6881fc3ccff50edcaf7

SHA256
23413ab88639a9ed1b3cbb35eaf87f9414ae8297e60f3b962fe490ca2773f2d5

SHA512
9b9ec9d7157038567dc5a3946f86685ad920f76f79bb75312883d02a688f0c04f8b8f463a1bcdb0ebc798e6bb942b9282c7de90e1cf89ee45d760cfe63525805

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
178.0MB

MD5
f9f7962eb8dad9fdb71ccfc8c3a4cca5

SHA1
9753e7de29c392d136845987a175cb0701a18fa1

SHA256
9f88fd2007638ae619806b01328ada6437f0edde5536732953e3d1c527fab80c

SHA512
ef9e6c5d79cfe4b3adcf56ff32aa7b7c442ffebb0030f7ae0ff71827f379f1660fad0581d548abe2989c66d54285e5e8507e3a856f2bb2e71acec59f2fbeb53c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
189.3MB

MD5
df37fcbb49f2a92fe26b50fec8b46eff

SHA1
372b7d246a5965f9ed8cb5778b905ba1b9e66c8b

SHA256
397c8b771511f652eb8a5c9282bd699664d4abbe350df2002fbab50ef722c17f

SHA512
90e929bd475d8e6d27c1462290cb44b13d3af00bdca694ad8b93ea3d5c200ebf58a27c306a4a9ecddf5e5f5a7cbb40c7c8d91c1c29903d27ef79e7ec1f6c1e70

Download Submit
memory/1944-71-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-79-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-84-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-83-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-82-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-72-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-73-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-76-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-77-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-78-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-69-0x00000000047D0000-0x000000000497A000-memory.dmp

Filesize
1.7MB

Download
memory/1944-80-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1944-81-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1960-54-0x00000000048E0000-0x0000000004A8A000-memory.dmp

Filesize
1.7MB

Download
memory/1960-65-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1960-55-0x0000000004A90000-0x0000000004E60000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing