laplas | 2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589

General

Target

file.exe
Size

1.9MB
MD5

8c59b0c004d6d108c494ed8e96f573bb
SHA1

62856aa334190053f0e3b41f7f379a77aaf1cdb1
SHA256

2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589
SHA512

2c966dde8aa92dec51080a02a38c8ed207cd51fc8196bd6a92e3eff316bb6370c90900f3b6c0d5d06e93f34ef925c509cb2c11f3d16a0cd3dc8984f853f85a6d
SSDEEP

49152:mG1dhlVkEIUaOM8Tb9E4V4GwayVg53tW0S6ndKE:mG/hkPUaX8/64x0g5jS24

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1932	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	file.exe
1972	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	file.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1932	1972	file.exe	28
PID 1972 wrote to memory of 1932	1972	file.exe	28
PID 1972 wrote to memory of 1932	1972	file.exe	28
PID 1972 wrote to memory of 1932	1972	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
502.2MB

MD5
904de2f025e8c4b12f0ebf7bf0369df1

SHA1
9a4de65f1dda1192dc8ea58bed39c6ae4c5a1b97

SHA256
27e2e146d154e484be37e439f435a8f21a5aa34e232709d95674c02e12cc3594

SHA512
7c7307ed414c1aea77435bf8be72463633885a2437d62868c61721b63de3e6ab3154afacc1f31aa4861e11a22b50d16e2b398a4c0e572b4079b3baac68c31f10

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
443.5MB

MD5
c223b5f1fdce77b8986b5a8c4cb1c85b

SHA1
7da6975a49bd3e89ccd3317575b65e23325b8034

SHA256
44e1baefdee6651ed14a563b3145b07a9c648a55b3291b4948de688aba92eb66

SHA512
747099b4dea23b41b91e9699771195a6c87d844134d90acc23c04fec916cc3cac2be3bda1d5a2a92c5f9d8315a52363f442265e1c4b90e838fdfead7cc895fc6

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
304.6MB

MD5
a16d9ff3d6272d9bb454da695940f325

SHA1
a2626671bc0bc41d66a2940d06678ffcb1be9973

SHA256
23106c9965674adfa92e2c79e32d449eefcc12120af752a144cf0c07b5b811e2

SHA512
5f34a8c87579e2ac7e5fda38683906e4ffd0418c101ea07e192e1eb0f14b4323e96eebdadf459aa5789023b00d7243a8d0fd1770a0ab731feb47af899bd1a4cc

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
499.8MB

MD5
4a45e2a4cba2d26adc79aaf78e90fcc5

SHA1
ffdae30db2966c05f79cdfea663f14e29d199597

SHA256
545a95b0e3eab9b9e86b7d7c6cbe5d7ba95ef9910a9c2780739b888932d8f275

SHA512
39efba9ad6b2ddc826ef990452c1527ed168bfba497564e9c47e09006274ab8b6142a6b32a4b9824c0124906333191e3d3a44559d79c2e8e213f4444a84994f4

Download Submit
memory/1932-68-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-71-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-80-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-79-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-66-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-67-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-78-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-69-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-70-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-64-0x0000000004540000-0x00000000046EA000-memory.dmp

Filesize
1.7MB

Download
memory/1932-74-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-75-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-76-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1932-77-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1972-54-0x0000000004540000-0x00000000046EA000-memory.dmp

Filesize
1.7MB

Download
memory/1972-65-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1972-55-0x00000000046F0000-0x0000000004AC0000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing