laplas | b46481ba0ba92b4cf9306181a82bff5cd1f1213fd23fb73c01a5b46435c7bebc

General

Target

setup.exe
Size

1.9MB
MD5

7e1ee04719bea1b532ed44609632ccd9
SHA1

f6ad1ded616f8877cb34f873b3597aa6df50e957
SHA256

b46481ba0ba92b4cf9306181a82bff5cd1f1213fd23fb73c01a5b46435c7bebc
SHA512

0bbb7c9e68f27d05476a301ec95b0a3ee7ab46ab3e912adcb14bbe44015b07ef1668e076518076abf79c6b366a1d59f057553411383a263ab539786853bc2819
SSDEEP

24576:prRWZ35JhqWpgXEC9CsacGA2XqHO4fOD22eAbFKhvb12pG5UojUsw1EyYMoPBETh:prsvJhS7Rj26H/fOyj1qG5UojUslMoJ

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2008	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
2028	setup.exe
2028	setup.exe
2008	ntlhost.exe
2008	ntlhost.exe
2008	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2008	2028	setup.exe	27
PID 2028 wrote to memory of 2008	2028	setup.exe	27
PID 2028 wrote to memory of 2008	2028	setup.exe	27
PID 2028 wrote to memory of 2008	2028	setup.exe	27
PID 2028 wrote to memory of 2008	2028	setup.exe	27
PID 2028 wrote to memory of 2008	2028	setup.exe	27
PID 2028 wrote to memory of 2008	2028	setup.exe	27

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
182.8MB

MD5
2d4e4c4500aae71cb4cb88f36883f8b3

SHA1
285d3b6a4fc24db52f456eca938255e6be70704d

SHA256
84551336a122e2a429f78b6ad734cf899784859c81f1986570b77e96e8376575

SHA512
7659a1483a17700db59e9dbd652dfeb98d5dc8a1d6fa08d30c41624e666351fff4982feb73858cd36e326b4badd725f6f452b67443cf9e90673c2942e34e6988

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
186.0MB

MD5
11a1804ab959f78299d30ef19927eea9

SHA1
e109401abc24dea6a8f194c533eeef3bfb05da11

SHA256
17c7be4a61116519d0af56fc89d7d8f3e53dbd679cc932efed459c776966b2c9

SHA512
459e2d7b720b4c2aa85637c1e513bad2be91e51ef7036d403d578441a78d18c9496b2faaf2205f50afd5dcf78bfe342a96233008f95e9f2ab60be18df33d36ba

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
186.4MB

MD5
363b99619f7b6400bbafa93489efde69

SHA1
7312005414e2d1da6d8b14eb7fd777f04a5043f0

SHA256
59516288b37b4c690f7afcf1b2d6044bd868f366889b2b80826acb29c6f90606

SHA512
baa70d144408fea468d94fcb7636fa3514a3a22fad7cbbf643dff87d178d08d13019964f7bc09e6f72d5a8f201bce96c925c1cf8fa47d473e28c324dd46afce5

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
141.0MB

MD5
abb10b216ab8aba4e02634eb386dca93

SHA1
f3072a40374c678c8c5dc650395fc3388f21ddfc

SHA256
ad8341dd40eb41b25435c322aa7939e8879174061164bc24caaa39aefb654778

SHA512
5195647d499d6e43822f86b72121d46f2b1a0655c933684eb8f6d81232c772aaaea5ad93360d6206d66bcd895db45095e49cf2a4578f1e26006064a0213afe95

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
182.7MB

MD5
8423f272244a99fe63dca5c42a681015

SHA1
61a71553c03432d8aa4d3a287e7a0ba07e6ada33

SHA256
d8c6e7c543e12f58fbde761654980c19a219036e6086141c04ee0c135e51c171

SHA512
fdf9d458723dfc2915ef40f9f4eaf34904826e5836d9c45555ffd1e9404c570090f5791582eda7ad13a9f193c1ae58bde21bb0de621bc1cfec6781cebe540fb7

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
187.4MB

MD5
4d8e8dc1bc5cd13087285efc52bc0f65

SHA1
97ad964b26d5c38af8f978863c5a14834bed04ac

SHA256
a14ed133626935f04d2a1d61ca622bc4c4b7c854753cd24d7768fb02026673ec

SHA512
e38c9b6d90dce4d85437859a60ccb79616400bb351f220a44a0a25d025d22055f702341a5d9e786f98cf785906626c1b9c50ac876fa82614f79dc3bf1b95ffdf

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
186.1MB

MD5
163b55aa982f429788be7420b6347df6

SHA1
797de434923e4d708af270f1db9c09f614fc93ae

SHA256
0678334206bd38020092f39a2c98f66899bcfed7f7bcda397db18e1c2a8ec66a

SHA512
7090a8f7329f1456f72e9cf8da41c3ce18630698f08c7bb5e23e453650842c005e712cbba4f470188d3648ba2332ef7e062f8d291d29f38258eb34f74563d2c3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
188.2MB

MD5
9aed5d3f43947e367b4548d4021b54c6

SHA1
a4f3cc8c6f0ba8b58884609817507519ba52ba47

SHA256
c1ca07dcbeb0edd3a5d2e3942b397a39e4ce672a23645ca6fc359ea609bf435a

SHA512
0f6858ca8c9e11fc19e797f1a5e95381ebea8b9218189149a0d6a9fe66d215c2b68276def2d307bd8479c5f0ab95d95a570729b3d8ea1158ab83496b7795dba6

Download Submit
memory/2008-71-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-79-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-84-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-83-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-82-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-72-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-73-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-76-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-77-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-78-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-68-0x00000000047F0000-0x000000000499A000-memory.dmp

Filesize
1.7MB

Download
memory/2008-80-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2008-81-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-54-0x0000000004800000-0x00000000049AA000-memory.dmp

Filesize
1.7MB

Download
memory/2028-69-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-55-0x00000000049B0000-0x0000000004D80000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing