General

  • Target

    efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.zip

  • Size

    164KB

  • Sample

    230321-r5amzade6y

  • MD5

    31d4c4c9fa263e967bd4c5d7a115f3e6

  • SHA1

    bff236aaebe8e53a992671a70c9ca951d7be8180

  • SHA256

    949837cfe756740e4d23db3e0aa29129f311e3634143ec9b0795edf105f92cf6

  • SHA512

    90e914f2e6c1da57d5cca1fc0a5415d6bb3158e84090ed55ce3d81ce93dae31bba3a1aae0b44c8bf42839664463b55a0635f3848cce0a9695ba9096153a6ea12

  • SSDEEP

    3072:CJiMs7X06Sz886EffWiFacZhZjgxL5cjg2TyUsv3Kd6+OgxOu1Ne:CJ9+X/SzlWiFaEeVcjgs7PBOgx1Ne

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Targets

    • Target

      efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe

    • Size

      291KB

    • MD5

      3b3aed60d330c39e582230b682ff2156

    • SHA1

      b91132e4edd5f9a02391dd8b5e25b64e68a73b8a

    • SHA256

      efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9

    • SHA512

      81e486b6ae35699a86e7d51bebc2cb314e72c33834e03ab059864befe5e8182ec4f06bdaaf1a1a92eae687cf26d6a0f9af720710caf869fbb5e6590cb1c2ed3a

    • SSDEEP

      3072:/PKXgwL0oG5+1hTI1ca9Y924EbWJaA1SNx75MVtNpkcWK:EgwL055+A1ca9S+GaAQN4B2cWK

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

2
T1005

Tasks