laplas | 2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589

Analysis

max time kernel
153s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2023, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.9MB
MD5

8c59b0c004d6d108c494ed8e96f573bb
SHA1

62856aa334190053f0e3b41f7f379a77aaf1cdb1
SHA256

2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589
SHA512

2c966dde8aa92dec51080a02a38c8ed207cd51fc8196bd6a92e3eff316bb6370c90900f3b6c0d5d06e93f34ef925c509cb2c11f3d16a0cd3dc8984f853f85a6d
SSDEEP

49152:mG1dhlVkEIUaOM8Tb9E4V4GwayVg53tW0S6ndKE:mG/hkPUaX8/64x0g5jS24

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1588	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	file.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	27	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 1588	644	file.exe	84
PID 644 wrote to memory of 1588	644	file.exe	84
PID 644 wrote to memory of 1588	644	file.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
653.6MB

MD5
bcdd221d3e52a481a8869dcebe5f481d

SHA1
3da198d6e465e4cbf01c6dc42b6d643ddc06d586

SHA256
38fd3c1f4a05fd3dda3cba15b9e0004324d0e3c6f2de9edcad79e88806d318fc

SHA512
96d194256e76323363bba7d6c8dad1e65c2c1552434adb3284ade1131df3d1eb9d7154116202a7a373752b01260aa05c8d0e1f07a5b3c5f76d5a8f01a88db9c7

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
674.7MB

MD5
247a3f813335e3b112ad09896015cbdc

SHA1
e6aaae57d3a33977a593fb246d5efdcef4abb694

SHA256
8d3ae4f2a3bd7b9f2512dc46507c8d7890ee839d942d6b062f0e0d1671ff794b

SHA512
6396514e94a64ad639a271438ba760bf2a03b2d8130a40db2290118e34586090499b10d9c98980e6b848de3ac4eb874f3b99b9e8c8693c64f817926b56909432

Download Submit
memory/644-134-0x0000000004C00000-0x0000000004FD0000-memory.dmp

Filesize
3.8MB

Download
memory/644-136-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/644-139-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-145-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-150-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-144-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-142-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-146-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-147-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-149-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-143-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-151-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-152-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-153-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-154-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-155-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1588-156-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download