laplas | 4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e

General

Target

setup.exe
Size

1.9MB
MD5

66cb9bf8324c1de0e44b0f376b60ab1c
SHA1

59709e524dd2a2d589a9f548530bb5a682368a01
SHA256

4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e
SHA512

a511be876646d3956d1facad8b5371c26533aaa4e101db3cc974dcdbb2159562bd70d0fdceba12cea08ad00cd14b45d7367d98ba7e8087d19018145dfdb141a6
SSDEEP

24576:GyekufYPXnljXYjIAu/pbifU4EvOAzfVz0dTMA8Ej06EvdxMnJlZXzk0PHDawz6f:G5gPl0CxObEWuIdITEj0XMnTZhLF6

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

1192 ntlhost.exe
Loads dropped DLL 5 IoCs

Processes:

setup.exentlhost.exe

pid process

1260 setup.exe
1260 setup.exe
1192 ntlhost.exe
1192 ntlhost.exe
1192 ntlhost.exe

pid	process
1192	ntlhost.exe

pid	process
1260	setup.exe
1260	setup.exe
1192	ntlhost.exe
1192	ntlhost.exe
1192	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 3 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 1260 wrote to memory of 1192	1260	setup.exe	ntlhost.exe
PID 1260 wrote to memory of 1192	1260	setup.exe	ntlhost.exe
PID 1260 wrote to memory of 1192	1260	setup.exe	ntlhost.exe
PID 1260 wrote to memory of 1192	1260	setup.exe	ntlhost.exe
PID 1260 wrote to memory of 1192	1260	setup.exe	ntlhost.exe
PID 1260 wrote to memory of 1192	1260	setup.exe	ntlhost.exe
PID 1260 wrote to memory of 1192	1260	setup.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
262.0MB

MD5
8e18830d1c55b974d691859a084c3c37

SHA1
26f8d96946047dce8a2a16dd0973947aade7405f

SHA256
b21bd527bd9cbee210bdb4a200d00c49b3cc4837f6540fc33366e9cf07fd32df

SHA512
0e6f361f1aa1cfe32acf634787bcb650d934706ac0918c5593b2f3231a1f1ba5a8839e55d39cb3a07072fb1676794fe64d738af64b24838cc81ea713144c5420

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
266.9MB

MD5
2c0a67d598f7a7aa2eb05dd4ca544236

SHA1
211c2d54adcd2b70ae09a637355c15d33d2995a8

SHA256
0b8ad7a7417edcf2ee5983e211bbeff03e043dd709c6c5dc186ecd9e3e264230

SHA512
b3182ee63830bd15cdd6881dee9bb46cf0f0d940f219c338b53d449e0a84ba56937a3ae8560e109a00e5ca6c857f9e729e0ada8026769e76c5a780057904326c

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
288.6MB

MD5
c9172c7a451884653bef362327a35927

SHA1
4d5ce1f165eb525857980004b85b317143e15d28

SHA256
bf561f4377ab24ab6c0a28a4a5658e5a4b85974cb49939e049099814b1a0df76

SHA512
6f38a74410e4574ad9b084b44a776c5e25ff7fa382386727421842342e1529a5f51575c1dd8137f4b5bbfeba34f13348780eb6110c14bd44d6f176de7efe3e29

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
150.9MB

MD5
761599f5b8836f7517b4b0bb4764ba4c

SHA1
877f6421df91a57c13909df9259903c85548ad1d

SHA256
508a319dc3216d954ce552fb379baf94fc0633b37946f591baf5c9b3d7ae447e

SHA512
53fd7175664930ca213f129e8f5d0699c0d0959d10ffa268f1ffdaae2ca9b0fb25c174f74c2ba007d86a1d970187b806a9601e18b07c9ec106b191f23933ea9d

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
274.8MB

MD5
89d92dd735f975e999035f83f55082c7

SHA1
2678d018bcea274fe9362f21ccb0f55273fee9d1

SHA256
fdaac123e59e639d88f5a2586f89a8ab4874634b19acb934ab8212e172cb872f

SHA512
cda6fc149d661254f759b64f7aedc541c7628d4b1363aec76bade1ce0be06cddeec292894fa2abece9852875bbbe1ca41609f5acd3b2c120d7fea1476afc1b32

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
285.8MB

MD5
bb3325b8ede7a6e6823caedd68afa74c

SHA1
0ee6bada5daaf76b3b7af6f2d2b70dc3988be0b9

SHA256
01ff8d821b06b09ce50fb93ebfd2f70b9028ef04033046ba30a6898e51661515

SHA512
53f2195a36b17421106ad6e746218af3c4bc6a3828faaec867e889c51890f27785d008e8622d55d3942492da56580ef619cae50a97df7427aea39d72addc5342

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
271.6MB

MD5
03a1dfcc0aa008f217194a461b4aa763

SHA1
6e94f6ab821108a150d30cb99b537b00bf8b69b0

SHA256
1b63425478b1854b7d8a947b3e9778e6145b383635318ad8e446839505ed8c20

SHA512
e896db6bda13514aae04e96846431e327455d83a758401fab1ae42867007353b32a7cbd73ed6fb66e56e48724e45f94365d72b7b90b6521974bf6fdab8c90a6a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
295.2MB

MD5
44aac1bc2d3bab793422bd0faa8c46b6

SHA1
c31d9609e5ea7343d7f586f75cee46d3c9b0e38c

SHA256
bf4d33f43233f214f0cc7776806f418880af079eae2f2df83dfb3d283e5e35dc

SHA512
ff96d7d60bfa46079436546cb5e9ee30239ce8ee22357eeba50d0bd178c13ae7dab1ff1632134dd944734293823e0656f51d810b1c330cd009ffba63cfc81ff4

Download Submit
memory/1192-70-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-79-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-84-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-83-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-82-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-72-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-75-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-76-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-77-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-78-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-69-0x00000000022B0000-0x000000000245A000-memory.dmp

Filesize
1.7MB

Download
memory/1192-80-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1192-81-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1260-54-0x0000000002250000-0x00000000023FA000-memory.dmp

Filesize
1.7MB

Download
memory/1260-55-0x0000000002400000-0x00000000027D0000-memory.dmp

Filesize
3.8MB

Download
memory/1260-66-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing