laplas | 2f76513c2b7c8f967a70526fdcf1e5c7976a4a77496e81be277c71fbbfcc3f54

General

Target

setup.exe
Size

1.9MB
MD5

181cf5e5f39bbe387b3b985b826b16f1
SHA1

4de92a14f49359ed21c3ee0be536f3126eda37db
SHA256

2f76513c2b7c8f967a70526fdcf1e5c7976a4a77496e81be277c71fbbfcc3f54
SHA512

56acae12a3af47a0ac9cf7261e5e51e4f34fb37fed8026f3694ab013eed3c5a5898733ab0d8dc99294af8b1cd80348f75efc262697b7ccea4c69188a9eb7b6b8
SSDEEP

49152:TkLM27jaMzaTnmg4Gd+cauh5ZvumK3GVtoxRTGs:TGM2GMuCg4h05ZvpILRL

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1928	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1476	setup.exe
1476	setup.exe
1928	ntlhost.exe
1928	ntlhost.exe
1928	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1928	1476	setup.exe	27
PID 1476 wrote to memory of 1928	1476	setup.exe	27
PID 1476 wrote to memory of 1928	1476	setup.exe	27
PID 1476 wrote to memory of 1928	1476	setup.exe	27
PID 1476 wrote to memory of 1928	1476	setup.exe	27
PID 1476 wrote to memory of 1928	1476	setup.exe	27
PID 1476 wrote to memory of 1928	1476	setup.exe	27

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
253.2MB

MD5
f81f3765c3d61e45857470eecc0a529a

SHA1
2811faa2fee967d53d2423a345b22b69a8d602c1

SHA256
b69bdabdc28e9b9b35b28c03aec2b84f0a79199caad0ca5364bf7ac3babba3a3

SHA512
a5240a5b435b9e54b82db224a6db320d2f8471f8f3caf47ae4402270cd31c46c344ccb8cf5c944bf1173375fc0e733cb2ca9a46a11e0528b9b0d3d148633040b

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
276.6MB

MD5
e7227ce4666ac22c03dff6dc63562fa4

SHA1
7a2da4d8983dfde2b1199891fba9305ef2166e70

SHA256
15cdfc5b2414a60072d8c2d4f7fb8967413a70f354a501be1be400e595205086

SHA512
6e2afa7e3ef8af37c6ab6577562e400bd621bb1c33e9392fd943971960d30e40e566553934db0a635bdc2145668b786faec1c4ea4f109c3bd09b4698209d9b2c

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
258.8MB

MD5
44140630abcdb1c6623abfce3657dba0

SHA1
1c3cbee83785918558d98687c15560bdb461dd7c

SHA256
8196be3cc56240ba070a4a15efd3ee725223507cf0c773529a9ffb8a2cc3134c

SHA512
93d32afd338de9e3a5d0a14ff76d3fb45eb69cac56963ddf37e0f00cd9cf59d8a07c4d3c0f57f0d8b92c3ab27cb48e95198e4c3ffd83c8d5adc9d7a7ac3ce60c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
277.4MB

MD5
3dc0a5d7eea9fae0660be510e0f3383a

SHA1
8900f699fdc8e421bb773b6ce0eaceb7e921a555

SHA256
6575a74872e7653bfa2d0c376e3189abbf8549de7a5a2b0a69874162225456b3

SHA512
e458cb80251112dc0a16bfed8208f32f76f39415ce0e512e362e3723f98014580a9ccf413b24618ffdc2bdf8312f7b0c8045082b85aad7a0dea311b708ed0bca

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
276.7MB

MD5
39dc2750136a8e0c6ab7b52baf8cb002

SHA1
027a0d7624093db7bf207683f592ab5a24fe5545

SHA256
6d3c298ba03a4258a6005e28738257ad4ebf45dd2c090e80f710b6b57c5641db

SHA512
29a3321e0954ec47dc0ba9d486a7bba2e137d201ba13eca1195304e607ce185ee5ebdace4b7b4ccd37a51816f34f08600c965d07a094a465bf53554386ea6a78

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
227.6MB

MD5
cea2d92740f87b208c55d94dcdaaed18

SHA1
1fcd575bad8859b3ae0ed19ceef6237895917f7a

SHA256
44dbe9fcae361a7c393a1105f7ecea1b17fa431506ac9887d0efbc2fe366f831

SHA512
08d2b36693ec1e7f5eb8399ad988032b1486c47908b8e62fdd651f1a3416a4412bc3a4f754f713543fcb1e10048cd1e8ca0f19219d4b21c851003c956fbec747

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
277.2MB

MD5
4cc8106dee3cae279ae0b1be63ec889b

SHA1
dbc3fb2327bfeedaee2c90f08c6ec2dc0e9d0ec0

SHA256
a18500f07648a5a43c1abfd72f07bf94e6c5d1d72d554c465ad7c0d6f51427e1

SHA512
70e669ef1d8cd1025979d883667fcef8d03dc2bffa21f734b55a2952ceae1fc237f4ee58e3618f388ab425b6055d3c194922e480297afd9c60155a64653d7830

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
274.6MB

MD5
374c4e5eaaf127476f38b20833f05919

SHA1
c87cccd8473480d6f5bc007817e27271411caead

SHA256
93578a451fa7189221812153761a9fc666cc7e2698c1425b06ae9e07bdd75a5b

SHA512
19da4969126512280711918db5f8eb2b5478f19b7e451a9cbff3bf104712bde9b97184fac7505dda188502de29749363d3864ca6a8967d2d7f73cb6c3a91e8fc

Download Submit
memory/1476-54-0x0000000002400000-0x00000000025AA000-memory.dmp

Filesize
1.7MB

Download
memory/1476-55-0x00000000025B0000-0x0000000002980000-memory.dmp

Filesize
3.8MB

Download
memory/1476-65-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-70-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-78-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-71-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-72-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-75-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-76-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-77-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-69-0x0000000002350000-0x00000000024FA000-memory.dmp

Filesize
1.7MB

Download
memory/1928-79-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-80-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-81-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-82-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-83-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1928-84-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing