laplas | 9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.8MB
MD5

94ce1cdbccb31d0993990d8a5fbd34d8
SHA1

392bb3736fe7b5e45f808f69097ae422ebc5c018
SHA256

9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5
SHA512

2525b7ac471490b61ab425c81c85956de1ff8d2a97787e95341bbd0f2047521183533495005eeefc427a30ec979e36421533696ecb7dadade57c13881294d7ab
SSDEEP

49152:rzmvpQccgreskIaAUgrqgHkrWIF994X5IBYr:rzOJtqgHkVoIB

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1500	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	31	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1500	3260	setup.exe	85
PID 3260 wrote to memory of 1500	3260	setup.exe	85
PID 3260 wrote to memory of 1500	3260	setup.exe	85

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
748.8MB

MD5
ee75f274dea02ea10bcd22cb71b28e0b

SHA1
28d30956601c81802945d52792a9147c81ec5320

SHA256
4b1215e85992b75a164b3000a9633b72b012e415cfe2b0094ef206e99595bd61

SHA512
7b48aa374c3b9d7f17ab43e79896c06abea64fff47017806e6289b62a326a8ce0f4e839692dc1ae785cba3c69695c40484a55ed15157f10e59b72a829416e9ed

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
748.8MB

MD5
ee75f274dea02ea10bcd22cb71b28e0b

SHA1
28d30956601c81802945d52792a9147c81ec5320

SHA256
4b1215e85992b75a164b3000a9633b72b012e415cfe2b0094ef206e99595bd61

SHA512
7b48aa374c3b9d7f17ab43e79896c06abea64fff47017806e6289b62a326a8ce0f4e839692dc1ae785cba3c69695c40484a55ed15157f10e59b72a829416e9ed

Download Submit
memory/1500-146-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-147-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-141-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-142-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-143-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-145-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-155-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-154-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-148-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-149-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-150-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-151-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-152-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1500-153-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/3260-140-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/3260-134-0x0000000004A30000-0x0000000004E00000-memory.dmp

Filesize
3.8MB

Download