laplas | 21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b

General

Target

setup.exe
Size

1.9MB
MD5

c8fa0087f27ed56934adf9f106755304
SHA1

ae27342a17c8bc32a68f6e68436a6ae380f90ed9
SHA256

21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b
SHA512

1401f941d8a0e06ef5754e8c2bc36930ffa121fa99759c4b90d031e191a107903a115ad9b2f67d08c6082d3c0850e94ef7cd9b4659264af85ae691ee0d5d8b0d
SSDEEP

49152:zWrbeHdtxdC968KLFVvLw5xs0baRMJ1K4yo:zW+Hdt/861LFVLuGkyo

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2044	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1716	setup.exe
1716	setup.exe
2044	ntlhost.exe
2044	ntlhost.exe
2044	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28
PID 1716 wrote to memory of 2044	1716	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
226.0MB

MD5
707ca79fef832834d7dc38e174ceea20

SHA1
d4f6494bc18c15182df286360e6c29ed4a93c57a

SHA256
92b2e4179881fb37a3f3fc2f5c13106d36daa4adb1a49d096cce456641f5e1f0

SHA512
02c9aff8260eba3cbf9153ead778f6d6848f5e82eeb4210997dffaf1cbb5e304d1b30190e2fa5cfc4fbda9bc020d9358006639968250422e9a90c7fdebd23a16

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
214.1MB

MD5
fd9ccf5ab627f28c0051430e677045dc

SHA1
24889ce5cb2c5c9cf60d2d204e19da5e6cf02269

SHA256
33fab4bd6c4691322d352c8f9157e4889a0fd3337cef08e884c3972b64db4768

SHA512
591ee0607449ae3ba2d246ec97bd34b46aaf617d44de434f11b57818bbff4c53163a8544396b5efbdad08d93c38a3391f2859a1792a44f9cedbea3e6413d4bf6

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
195.5MB

MD5
c16bc93f45ac3756049280e8ee9832cc

SHA1
a4602bf584463e08a7f2b794f84fcb6eeaada5a9

SHA256
5a8d6b61857eb6b9d50d190f01eea3d65c55c73e2d8ae67a07d57824162900e2

SHA512
aedce1b555486a61935e1ade205b19cfd7309abe37bdaf4e4e5b6ea1cb2921d96ac4987829fc3e4794cccfa6158f4d9006996dbf1e973da19c784582a71a71b2

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
125.5MB

MD5
b3235f57b86c42c071ac8c950342e3d0

SHA1
d77d45a89bc4af82cc48c3b67a77b8fbccc6647a

SHA256
54da6800199e243aaf3751a3b10a289eece15d39acea8898954064a21b3937c1

SHA512
15cfe12e201d68fcb3866f004e4eab33647a23375369f2846ff8ca8c902854fca307a98edc2145a08c4a40332ba26f1a3ae81bd521320758146d25efb7c4b73a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
227.9MB

MD5
7e0cb2692c332db67e6ff91becaef096

SHA1
b93f16e0eb76b37fc0e38ca457a83918106a5bc7

SHA256
b73a279d68642ec71174757a2b1eb8a67b562279a52ba27e281b92169e8fb3ff

SHA512
c3a03407239b573cf93cc3d654ac5074799c9acb04003f5fce6c14f8bc75933960a4c2708cc3b11fc6a8a962330c339bacc26050920aad8d471259be9aceae85

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
191.0MB

MD5
1b3e08083107fc98f80fe79ec83f202e

SHA1
db57d90ef0d46690b40a1f3e189e5ffd57b7c5d9

SHA256
22fd32561d23f313adb4ff67b539e2e89f7df822a2495f552a13b8fedeff738b

SHA512
7982a72d67cc76c7cf4828f67306647a52b7c0f91af7cf38fcf978b08abef18a75208565b8db1dacbfc6187a98017bcaa96f3fbc6ba851f2489a2a7e0ee76fb6

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
204.4MB

MD5
e0e0114c7d1044e869bbc9124b5e17f2

SHA1
350b2d03538a0eed776b74df524318c9314953dd

SHA256
01ce8e4e6bd9ca8932eaa44c8ae7c24806b906a152e3d3e6fc3b3c96d39a7f8c

SHA512
6abdbb08767754c9aeb7dbd29ba5c039784b757b8e21371da29e7a6a2fefcc794c81bd356e74d04bff46f4b1d4fcc95245da3c0579c9bef9230cce68a7127254

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
191.6MB

MD5
cf06c16953940a09b1d14f8c314d60a3

SHA1
4062c517233ad6d4feb171c52cfc2571b5e48a21

SHA256
0f45fb53d408559b3c7b241ba86305674822eacc03cafde7afdaf4f4ff6d794e

SHA512
74dbf3e01a5a3931ffb000702040ffc3a2a00065ca93f2b0e37252aa4d76a9127da5bf60452616b1555e2d589cdb07b9937f80a6cb9ce0df46b9a8db52bf9763

Download Submit
memory/1716-64-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1716-55-0x0000000004880000-0x0000000004C50000-memory.dmp

Filesize
3.8MB

Download
memory/1716-54-0x00000000046D0000-0x000000000487A000-memory.dmp

Filesize
1.7MB

Download
memory/2044-70-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-78-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-71-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-72-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-75-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-76-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-77-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-69-0x0000000004790000-0x000000000493A000-memory.dmp

Filesize
1.7MB

Download
memory/2044-79-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-80-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-81-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-82-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-83-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2044-84-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing