laplas | 1e85dc00b32d476b0f48f95c74b4d414a91144f5b181815d55908067ac0f25c0

General

Target

setup.exe
Size

1.9MB
MD5

2cab02f2e9bdffa47eabd1fe499cb659
SHA1

dda9070cebb6e9f4cd452ab681815497d590a719
SHA256

1e85dc00b32d476b0f48f95c74b4d414a91144f5b181815d55908067ac0f25c0
SHA512

2b56cae6faa229365a7b1297ab5078fef485b6084ba5ac699cde93af700f831d92c58f5dcffd08b7ec7187b2b173036b4ddeb197b16f8c429f6e0136cc1b8079
SSDEEP

49152:Z4W99T3jU5/iEhr9pk59e0GPkZs9M47Ke2t/vGlcC6H7WCag6lX:Zj/T3IFiA85GNKp5GlGH7W66lX

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1188	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1388	setup.exe
1388	setup.exe
1188	ntlhost.exe
1188	ntlhost.exe
1188	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1188	1388	setup.exe	28
PID 1388 wrote to memory of 1188	1388	setup.exe	28
PID 1388 wrote to memory of 1188	1388	setup.exe	28
PID 1388 wrote to memory of 1188	1388	setup.exe	28
PID 1388 wrote to memory of 1188	1388	setup.exe	28
PID 1388 wrote to memory of 1188	1388	setup.exe	28
PID 1388 wrote to memory of 1188	1388	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
247.8MB

MD5
01426b81e8ba83525cd60b3592ea70df

SHA1
7d9986012e66b3f419299484a0e7e3cbbcd21202

SHA256
fbd589818e2bb68a5213cbf7371a59864d1d76c33177d79696e011e08206a518

SHA512
5683566f4b8c1834c367352ec4c7f64078b0a94051dae28120175b412520dc48e88a876a894ad815698a9cf1dbb1a2404b7c25f54fc1972660c68b445ec70bdc

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
307.2MB

MD5
29aacefe6b2f7844aa3639be795985ef

SHA1
7e4fa9d9dde6e6c72e49df8dafbe55250bf38fa9

SHA256
902001aab81d4890a3eb0d20632448abee9e0d7cbf832d9b6388d628af360925

SHA512
a74fc3138a2980ca2d12d4faf067cc30f475c5fcb7e43bbda3769f5f42e3e918e60d9886e274fb6371ee8708edb4a782db2ff646fc03a20fb503744ca7369eb3

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
292.3MB

MD5
3e706750cd4923b13dcfc95fac729eaf

SHA1
c20b3849255af5257111ad8b97978a55d13de889

SHA256
0c8cbdc1c8622c5bc081afb040a6b7618b99b116ad7e415679628ae67500af9a

SHA512
bdcdb43fe669ea20fa2610eb0c5518eea9e9c13a1aa1fca5771bcf377669479e8dba7c04e75a509a94655ae6cb85d3b910daf096c533ca58236230e0818d0a21

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
176.9MB

MD5
c04e6589b1dc7bcab839be64fc655a23

SHA1
db01aaa27ab3444194279c7e986952da7a5be6dc

SHA256
0ae07cdeebf0123eecc21bd4efbcc437f9131f7414a796e311a46ab88d9a7d36

SHA512
c979e0b43719e714da419693cbca800ba154b5d306dba0d02276c647aa3a13c6b34a2a410f112898974f27ea64b7a215d5bcb92d04be17ebbecdfba4cf87404c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
278.6MB

MD5
a55eeedf7327ac31347a9c691c93ca5f

SHA1
0564a4a343b52f05612f6d99b46d8096ff21b95b

SHA256
cca620008c73c983ff4236d3b6399087ac538ec19d1da550c023cde1040bbd26

SHA512
e77c4027494f609b68c72808c7d436b8cde6bf6d12d01ccb9bc18b4aff00c9afb8d81f2f2ba01b3f81fdf1279bcdeda224064b9d122ce45614d357d66defe647

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
301.2MB

MD5
5d0d926f8a0dcce3daf1d04510da368e

SHA1
5d134edde9b50b392444d0906cca3eeea787ab41

SHA256
65afdb769009e45cd5a88b8411af38eafdc9f4dc0e75d8ba84d9779c4adf7e66

SHA512
e46f35b9e0e0d60e09d07f4f10ce768084e914a1bfa71c7e69e2db82d4a4409a4107466655e70718ff14e6d561e43d1fe0134193f0bf7e0658f8d66c333a9499

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
289.2MB

MD5
2fd12f0fdbaefd195a3da2b38673786d

SHA1
90ce04ef007d9744f92fe4e895a8d4e86a1558ab

SHA256
24bdb3f6f8aa6600f2003211ad6986f960d501438d91c834acfe66db70306c15

SHA512
227239abfac2d3ed67312a20e44b41a4af5725b9784bb54b9487f9aaf3a928e6299fe795d0e49c95385b558c463aab8fe6143f4464527a900be532dd9f33cd69

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
296.9MB

MD5
42fbc25deaa755d8092f0857565f2b40

SHA1
7569b0ba2e322e3774a6c503f932e9e666dcdcb7

SHA256
c85208d2e65fcc49bd137febbbe949f881de7c922cfd2f774637160d8f4bf48c

SHA512
1b80fc4091e5cd665d21a9e772dd97318f10b9d38dd5a1fd0e328c33df97f57552d4ae544a4f9493eac09cc4e7e9dd41e869e5be9a99848295955f53e0c05715

Download Submit
memory/1188-70-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-75-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-84-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-83-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-82-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-71-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-72-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-73-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-74-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-69-0x0000000002590000-0x000000000273A000-memory.dmp

Filesize
1.7MB

Download
memory/1188-78-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-79-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-80-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1188-81-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1388-54-0x00000000024C0000-0x000000000266A000-memory.dmp

Filesize
1.7MB

Download
memory/1388-64-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/1388-55-0x0000000002670000-0x0000000002A40000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing