laplas | 8ee9f9bf18880afccd96ece9f1d4c384825b0de092b0ef6bd78d6d0276f67051

General

Target

setup.exe
Size

1.9MB
MD5

5419d85dbbb8c57fb337f1490b3d6c21
SHA1

780a46377db73dc921d3a7795412b4405ea290bf
SHA256

8ee9f9bf18880afccd96ece9f1d4c384825b0de092b0ef6bd78d6d0276f67051
SHA512

e1d84bb5105f62fe53c2be15d6c5f1c64accb17960aa1aa9cf2be7fef5a2de695bd0d11bc1c4d5f6ede8923f59847a6f5c052091ecf93a3ff3d10747b38d33ab
SSDEEP

49152:d/P9nuxcamIidEoNDD1eHi8xvrRoHvVHQx2HylA5:dn9nMcaZidz/1eHBxvrqvefA5

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1740	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1932	setup.exe
1932	setup.exe
1740	ntlhost.exe
1740	ntlhost.exe
1740	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1740	1932	setup.exe	28
PID 1932 wrote to memory of 1740	1932	setup.exe	28
PID 1932 wrote to memory of 1740	1932	setup.exe	28
PID 1932 wrote to memory of 1740	1932	setup.exe	28
PID 1932 wrote to memory of 1740	1932	setup.exe	28
PID 1932 wrote to memory of 1740	1932	setup.exe	28
PID 1932 wrote to memory of 1740	1932	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
268.9MB

MD5
fa3c40daf9b8d168cd7d70e71f7cd99c

SHA1
3d80d924e79d8c0240905bbbfecc6b000dd75cfd

SHA256
e1ff2110adef08239a8e5ade14171a9d852ccece4fd71b12461f61ca081a6ede

SHA512
4dc8120f3029a88a6c6284a28ef02473b9f7abcb6444f175225b1c23e6420355e0bb9f5dca5d5c23093d408012766dc849e5ef910e85bea8be747638aad40b55

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
263.5MB

MD5
14464642ca54eeaa3348a4af3841ed5e

SHA1
4e823a4e69b9fdb4b6245c6108e16750fc83a49a

SHA256
975c825e6ec3bc10005c7428fb0a264abd2a7e4a9c16d1f02a121ef8e696ea4c

SHA512
3ff37a476db5984226e07b640508232d1e7282b5c1d547ad3635e68edea903f31d2601dee5f6163cdacb03d223ea13d0298b760badfc8af8c59419d3538a8323

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
294.1MB

MD5
4d26442836e9d63ecbd5ef673891a170

SHA1
89ec181ec500737eb1c57c6c28b43a86a9b96da7

SHA256
e5433cc5a90e2f442d113db2758a665fac773f05dd422af369595f0d1db30159

SHA512
8b2511913363fe4806c50efb066bf74e08eec10b3423a31cef936fd015e6a4e4086ef13fc67fe22ca7286121963faca356e2ba0df5fd688f619f7cdc5ce16f6b

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
147.7MB

MD5
e279f5653e89a8c466e2924343a11721

SHA1
f862aac762cf1f7eec5318aeb805cdc29ad1d06c

SHA256
581b2a81232945bf755bbb5ca83dcf8dc353bf01193c09aa5baabaf718d0b78e

SHA512
c7ec9f7b474532d5db6139026257877d33c5c7d76cee0de473f249869d0ddf052b9a23d03a9c00c4d329cce3c961223c8269bdda3615ef0a638d2611b3a3f6ae

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
288.2MB

MD5
7b6416448fbbdd6872b2a742eedcaeb0

SHA1
1e59891bbf97455824df5f94ff0a78a352ffe8b5

SHA256
ebed80179630694076ff760aab4fcd6076146d0e0c6548d95a157164b4427799

SHA512
da6a4ec6e601628bf7a107b0f9da77e1c1af503bbf06d517adf11e8512080e6f56d8c0bf867267e35d6d4c4e3ab8846ac86c22cdabeede29d05fa9ec31eb6044

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
290.9MB

MD5
4428a95c8659d22fcbdc31cef34980e9

SHA1
b3d53f5f0165344d693c767f555072d9bc298cf4

SHA256
ae0de1cba09872bc6eac3ff5dde2a9e5ad90309ed73df9a18a4691bf7be78b2c

SHA512
9d30707d3ec30cf5d2cd48ccebb464ad541845bfbca949eddc9ceff7b66c91d03bc9c2db8793b704ab5c3b01dfff43422ec79a63cf63210852e28e0f1822ee93

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
257.9MB

MD5
2eb8530bd4d78adb26b118b31d14bef9

SHA1
6c3b9d8220ec0e42d984eac5fa2f80a64c7dd5f0

SHA256
b8b110d828663a709be7db9feda309dc98a0d6c5e414dd822aaabcd826b2b973

SHA512
ca9695bb293e9a58b4b8819b842377147dd24c4b3811fe7ce23a34a91956d586dfefe2de2f9d5c22dac3c74ffe284b807be835bda31349be60f058a579d10968

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
243.4MB

MD5
7491d8886f62262b4dea9a64e0d17e4a

SHA1
18472d69bf2afd6bc3093d7f99cc8bee92b09ff7

SHA256
16c561ab4ccdf4ac7b6a10d566d44bbf79ef24db52c4dabdd93eb30137b2e6cf

SHA512
57f72764ea71caf7289cbcf0f2fec3d2a66f1fbdd4bdc069143e17058330c2342bb612ed67fb34ddada0436c3b98405d58f5e92a4ae66368b499ef9b60345a47

Download Submit
memory/1740-70-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-75-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-84-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-69-0x0000000002490000-0x000000000263A000-memory.dmp

Filesize
1.7MB

Download
memory/1740-83-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-71-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-72-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-73-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-74-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-82-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-78-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-79-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-80-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1740-81-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/1932-55-0x0000000002670000-0x0000000002A40000-memory.dmp

Filesize
3.8MB

Download
memory/1932-54-0x00000000024C0000-0x000000000266A000-memory.dmp

Filesize
1.7MB

Download
memory/1932-64-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download

Analysis

Sharing