laplas | 833b7887085a8c45b708a34478d96edbd3efa5838339194303001ff3c563fe9a

General

Target

2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe
Size

1.9MB
MD5

8c59b0c004d6d108c494ed8e96f573bb
SHA1

62856aa334190053f0e3b41f7f379a77aaf1cdb1
SHA256

2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589
SHA512

2c966dde8aa92dec51080a02a38c8ed207cd51fc8196bd6a92e3eff316bb6370c90900f3b6c0d5d06e93f34ef925c509cb2c11f3d16a0cd3dc8984f853f85a6d
SSDEEP

49152:mG1dhlVkEIUaOM8Tb9E4V4GwayVg53tW0S6ndKE:mG/hkPUaX8/64x0g5jS24

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2028	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
828	2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe
828	2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2028	828	2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe	27
PID 828 wrote to memory of 2028	828	2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe	27
PID 828 wrote to memory of 2028	828	2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe	27
PID 828 wrote to memory of 2028	828	2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe	27

C:\Users\Admin\AppData\Local\Temp\2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe
"C:\Users\Admin\AppData\Local\Temp\2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
304.8MB

MD5
083692ac4d3b418bf4df79b9b7e0f4fe

SHA1
841ec2d1f3490faf32e1af75592c4c219b48fb0d

SHA256
a24c8d63c4106dbe37da349dee8beca5ebc0191b02b55922870799c9ca991a5f

SHA512
86dc26a70d28b0331f6a47436a319940193a81842a7f540db0c1455d5fa362fae9711de5d3d2c361c96cb55ab71c3f0cef9ed5cb5df326bf04209641329d80a2

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
310.6MB

MD5
7087e901300b84f19b33700e471792a8

SHA1
e75c980a6935590352ee3641261d7d76f0cb48b6

SHA256
e4e1951a31be249d99447d67b957f9f8a554f2625367c11a6292e12e91db875c

SHA512
9f03de13fc1fc7c6673458c8a2d7db9c82db36345eca9d3bea5c92fb251b30f65f36458673aece6f2829b27d177f74bb7feeda0c4f04b28e9517b899cfb5c58a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
310.4MB

MD5
6d382c28e777c39ec848f2dc6b650268

SHA1
42aef6bd928cc8e7ce558d567b759b8646ebfec4

SHA256
30811b530a8e544c3924d7ad45b76a730b238ff5e23db2c71e5f0e2834e22467

SHA512
95110462ef8114f20226276e21e9e27c85f67b3b5e661e80fcfe8152dbe947b3c9200964a68cb8881abe693b383f33defeede213eb57036b2549e378b5bd994a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
299.5MB

MD5
59fdd55368fe2389156a510fa3b319e3

SHA1
db6b71c3a23fb62c6414d231ef96a23c8c2c1081

SHA256
e36b7932d76fe93a06277b786413cf464498095375aac0dd7d3e6434cf99a29b

SHA512
b8db017b2de5411a70ba43e52fbc140da637b71ff952081660ea84ec097f45af183772f80a43aaddf66ba3a9ddd9cfbf188a64b7c17306265be55eed6341bcc2

Download Submit
memory/828-65-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/828-55-0x0000000004870000-0x0000000004C40000-memory.dmp

Filesize
3.8MB

Download
memory/828-54-0x00000000046C0000-0x000000000486A000-memory.dmp

Filesize
1.7MB

Download
memory/2028-69-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-75-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-68-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-64-0x00000000045A0000-0x000000000474A000-memory.dmp

Filesize
1.7MB

Download
memory/2028-70-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-71-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-72-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-67-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-76-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-77-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-78-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-79-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-80-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/2028-81-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing