laplas | 57c55683cc7cd4675f6568f60a8177f627d62b247d85456db10a19badac61d3a

Analysis

max time kernel
151s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2023, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe
Size

1.8MB
MD5

94ce1cdbccb31d0993990d8a5fbd34d8
SHA1

392bb3736fe7b5e45f808f69097ae422ebc5c018
SHA256

9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5
SHA512

2525b7ac471490b61ab425c81c85956de1ff8d2a97787e95341bbd0f2047521183533495005eeefc427a30ec979e36421533696ecb7dadade57c13881294d7ab
SSDEEP

49152:rzmvpQccgreskIaAUgrqgHkrWIF994X5IBYr:rzOJtqgHkVoIB

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4328	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	31	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4328	1920	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe	86
PID 1920 wrote to memory of 4328	1920	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe	86
PID 1920 wrote to memory of 4328	1920	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe	86

C:\Users\Admin\AppData\Local\Temp\9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe
"C:\Users\Admin\AppData\Local\Temp\9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
102.7MB

MD5
79452d948d6621febd3b07187149952b

SHA1
c76107a9d7083c37dad1145c109bdcbcd8d6e404

SHA256
58fa842af24b3ab4d1065859b6258753dc2846bb0bb85505332800d199bd2dd6

SHA512
5df0beeaa45720a5d9bb9768a9b857ce8a08c85221eb4c88146d55747641b91c7397ca9715f6dc003eb754f1de50294413e111f066081e633a2cdbc66bd93e54

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
105.3MB

MD5
f5a3910375f667f81e8196309ae2226a

SHA1
697c8a1f494bcfdfd906f746bee10aea37698a15

SHA256
91e58ac145327f69c85f647817bce017dc4d1c809b6a177ba4dd1afaf266968c

SHA512
69f657a283a6b75610e778fc03dc0b04f6ed03301a5f5fc9265d1c599167e03c41952ef9ca8a05bbcfc54bb5d398b2cc5346c1d2f4e1bddf136f750453149708

Download Submit
memory/1920-134-0x0000000004D30000-0x0000000005100000-memory.dmp

Filesize
3.8MB

Download
memory/1920-136-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/1920-139-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-145-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-150-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-144-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-142-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-146-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-147-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-149-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-143-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-151-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-152-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-153-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-154-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-155-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4328-156-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download