laplas | d3e973ccfdcd5be28bb8e6a99ba89ce9733defb337723c1897ec67f32dd2252e

General

Target

21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe
Size

1.9MB
MD5

c8fa0087f27ed56934adf9f106755304
SHA1

ae27342a17c8bc32a68f6e68436a6ae380f90ed9
SHA256

21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b
SHA512

1401f941d8a0e06ef5754e8c2bc36930ffa121fa99759c4b90d031e191a107903a115ad9b2f67d08c6082d3c0850e94ef7cd9b4659264af85ae691ee0d5d8b0d
SSDEEP

49152:zWrbeHdtxdC968KLFVvLw5xs0baRMJ1K4yo:zW+Hdt/861LFVLuGkyo

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1072	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe
1316	21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1072	1316	21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe	28
PID 1316 wrote to memory of 1072	1316	21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe	28
PID 1316 wrote to memory of 1072	1316	21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe	28
PID 1316 wrote to memory of 1072	1316	21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe	28

C:\Users\Admin\AppData\Local\Temp\21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe
"C:\Users\Admin\AppData\Local\Temp\21bf75dfd6fd3ff24b1e13302414fd0d09e6d0fe2cfa6bcc3a21fdda66792b2b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
53.4MB

MD5
8cc731675812a5775076c1ea7e9a7b2d

SHA1
995807d5dc7f9bccc7c6321e1a74f3852c2b83a2

SHA256
3bad931e92503fa5f5ceefd5a34840827f1664f30769e29b3be3fa038b05b072

SHA512
e6f6c79c3a26eccbaadbcde97521eea9577b74853dbe5592a5b767b33a3c8df0481ee2a73a02c52261b720cc3ae875a5ba75e9032461c74cf53e803d026ab227

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
51.5MB

MD5
e5ed423fce15631c793b577467d82d24

SHA1
62fd1e3f245534bb7baed7ab6361d3aea1e848a3

SHA256
deada12b4c68f95de0e7e1aebc70c7033c544b4c7e5ce0d53d61112def9f5ea3

SHA512
65f7089a5c2d338bab64914037a6757fb1575b4043fad2f516e869337cc8a522e625990a2499d68872c03ac7d867e0a94602c92fd17f3e9651ab2e320dd4d4ba

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
49.8MB

MD5
d92c17f190c31304670c1c2c1bbdc718

SHA1
80f16aef0cbc6b49e44c548b6487067885a4ea50

SHA256
93a1dc5d27bd7b5a8e223a934bd8b976b0112f5d1e4207ed1b30d56f7163d7ee

SHA512
7d831cbc7fd3a42fa2418387b00bbc8c1135d546f32d929a7afc3b2c4bdb4a4bf453542aef43e5dcdea5893b4c67d6b542973dd5b1d0442e177634a8e4e6d17c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
54.1MB

MD5
a905f8cf34380f2f8e4371967879f663

SHA1
24d6d4b5ef6ea09e8aa168068a31fc6c13974b44

SHA256
d16f87f748a8559487a593bbc48a77749378a5551c47ac914a1256a2f6190cf7

SHA512
1f7966ee3b5b5b9bb4851094998e4eee6559fd8aab0d8d2b3c47903bf8d06e14a01dcc5f170b627b40e8d7bf5f2b487c69922e6e799093d68ad4c48251056237

Download Submit
memory/1072-68-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-73-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-65-0x0000000004680000-0x000000000482A000-memory.dmp

Filesize
1.7MB

Download
memory/1072-80-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-66-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-67-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-79-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-71-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-72-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-78-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-74-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-75-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-76-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1072-77-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/1316-55-0x0000000004690000-0x0000000004A60000-memory.dmp

Filesize
3.8MB

Download
memory/1316-54-0x00000000044E0000-0x000000000468A000-memory.dmp

Filesize
1.7MB

Download
memory/1316-63-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing