laplas | 57c55683cc7cd4675f6568f60a8177f627d62b247d85456db10a19badac61d3a

General

Target

9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe
Size

1.8MB
MD5

94ce1cdbccb31d0993990d8a5fbd34d8
SHA1

392bb3736fe7b5e45f808f69097ae422ebc5c018
SHA256

9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5
SHA512

2525b7ac471490b61ab425c81c85956de1ff8d2a97787e95341bbd0f2047521183533495005eeefc427a30ec979e36421533696ecb7dadade57c13881294d7ab
SSDEEP

49152:rzmvpQccgreskIaAUgrqgHkrWIF994X5IBYr:rzOJtqgHkVoIB

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1300	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1428	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe
1428	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1300	1428	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe	28
PID 1428 wrote to memory of 1300	1428	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe	28
PID 1428 wrote to memory of 1300	1428	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe	28
PID 1428 wrote to memory of 1300	1428	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe	28

C:\Users\Admin\AppData\Local\Temp\9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe
"C:\Users\Admin\AppData\Local\Temp\9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
142.9MB

MD5
5f20bb9505c8e006e227ce965eb80806

SHA1
fafca076f855963fc94227f2f8287489dfdeed6c

SHA256
a3769ee4b27e999788b5de39bd8bea9602c420033a9e84cc434600a85aac1ad9

SHA512
255b2254a85e58343f09a5bc4a9000b24829f9ec8b3a86f3c1ee1564b4a349f4c8fd395172e0a8fa708137c601e0c9275b553a86c222995f7a50327e347fb71d

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
143.2MB

MD5
93b022dac0b234b779384b722bf101b7

SHA1
3721bd4365037804ea61c279be1647cc8b1cdbe2

SHA256
d269e841f2a3c5caece7540ab150842e527ba7af5405128fb062451f49858bcd

SHA512
fb59b405c5f4741dec91337b8fe08b49cde499908094e1702abf8d9313fd1126a52224ba36574e04c1132943838f03c08cc510be48a319facfa5bd34fb6615a3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
126.1MB

MD5
215b0b6ca3f699cdc80c2dbf23b5eedb

SHA1
d52162efdc2754519f5b1356746021c310771949

SHA256
fce9e96aac62b5ee51975a8d5d496c230777f8fe614998496bd7c3c6cdbf31fe

SHA512
2c11299c5521fd4269807b7eb122a15e41ef56eb891571d0e0a3554c97a3b0d230e8ef4f2f00edd7880cef5b6dfa76b09f268a1854acafa593cd757dba95d664

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
138.2MB

MD5
84e9183b066226906b042c97abc7cedf

SHA1
f25319b20155bdb92849ea90ed3e02d2296f1bb1

SHA256
84aff0c2767c9b0398e4a3e541e7999796d5e82dd7e3310e4a49b3c4c20a34da

SHA512
fe162d69eaacd6a52d02d43485bd151537e0416422cbab7e327cc3b801a7ebad69b5ffdcc32a39604b580a5b37a03a5af6ebfad81fe370ee7e97202c5c59b02b

Download Submit
memory/1300-71-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-72-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-64-0x00000000045F0000-0x000000000479A000-memory.dmp

Filesize
1.7MB

Download
memory/1300-80-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-66-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-68-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-79-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-78-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-73-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-74-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-75-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-76-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1300-77-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1428-55-0x00000000047B0000-0x0000000004B80000-memory.dmp

Filesize
3.8MB

Download
memory/1428-54-0x0000000004600000-0x00000000047AA000-memory.dmp

Filesize
1.7MB

Download
memory/1428-65-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download

Analysis

Sharing