laplas | 4b8c8646cd4c8e21217281a7c2155d9821126f1f7594e43b29c402a4a33b6d80

Analysis

max time kernel
149s
max time network
141s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-03-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8c8646cd4c8e21217281a7c2155d9821126f1f7594e43b29c402a4a33b6d80.exe
Size

1.9MB
MD5

78804a23aeb68beb488a3cc4b2181935
SHA1

ce08cacdbb4ce93c487d452f967a6aff73ba614e
SHA256

4b8c8646cd4c8e21217281a7c2155d9821126f1f7594e43b29c402a4a33b6d80
SHA512

b70bfbe64e19d37a2be5e082d69e8b68caa6dfc13a337acbd9c8b6a6ea1e790aec1395acbb62a07b44ea56a833a99877d8f9a03b4b5a9031bb0641940e9ac621
SSDEEP

49152:kYOWavOzMz0Ls8b71Iz34gc7fQzGBliwRG:kjWakw0j1Iz34PUii6G

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4952	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	4b8c8646cd4c8e21217281a7c2155d9821126f1f7594e43b29c402a4a33b6d80.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 4952	708	4b8c8646cd4c8e21217281a7c2155d9821126f1f7594e43b29c402a4a33b6d80.exe	66
PID 708 wrote to memory of 4952	708	4b8c8646cd4c8e21217281a7c2155d9821126f1f7594e43b29c402a4a33b6d80.exe	66
PID 708 wrote to memory of 4952	708	4b8c8646cd4c8e21217281a7c2155d9821126f1f7594e43b29c402a4a33b6d80.exe	66

C:\Users\Admin\AppData\Local\Temp\4b8c8646cd4c8e21217281a7c2155d9821126f1f7594e43b29c402a4a33b6d80.exe
"C:\Users\Admin\AppData\Local\Temp\4b8c8646cd4c8e21217281a7c2155d9821126f1f7594e43b29c402a4a33b6d80.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:708
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
682.7MB

MD5
52c531ce94b61c624dd416649a5903b4

SHA1
f83a444896fe37f28edc1503e1603eb9835a8496

SHA256
87a0991be11e6582354a624f1a55004ee713c1ed82586553ded1d6939ebc1d0b

SHA512
d876f8c312e9b8382b1dbb15272006a7f5fbbebc0b7d5295ba171df78adedf4ec195ddebf22159fa548b23ca772162346cb3900e979ebe67aa540329f4a4932b

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
684.5MB

MD5
46831b7fa4a6850f436a26ffb142da4e

SHA1
94cf2cf7450884700d4042f5b42925458255d95a

SHA256
0a2eaacf0231ac26e98dcee3fd3546dcd807bc6f9e03ace04520a172843bef90

SHA512
88f34fb5de332c50a7883bf2bedf276c078b2ec07e6cea9dbd9d3b5d3f8c92eff85836ce00c86b594ac431e38f60b34b08e5bbc0a4ea3e6c510c29c69416b2ce

Download Submit
memory/708-122-0x0000000002920000-0x0000000002CF0000-memory.dmp

Filesize
3.8MB

Download
memory/708-124-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/708-127-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-133-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-138-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-132-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-130-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-134-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-135-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-137-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-131-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-139-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-140-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-141-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-142-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-143-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/4952-144-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download