laplas | 178666b82d3f9f6d4785ea5934870cd87d8e19c42b07379556a54e3007625fc3

General

Target

setup.exe
Size

1.9MB
MD5

e478dd003ab0c8cf0bbe61ffb0b77c3c
SHA1

9e1d30e2ed508b4473061fd46994332246af458e
SHA256

178666b82d3f9f6d4785ea5934870cd87d8e19c42b07379556a54e3007625fc3
SHA512

de4d7fd760acc976f79dd92ebe7a148b2f9787ab611e249815a8af511fa174730b04d143d26f6db384ab929746e441217268cde9b5a14128d4549340f5426d18
SSDEEP

24576:ZHt2b1Jo7ja0mbxvAruakDKnWXb4qx6zNFdN1UDgAiUjl5TMOPdR8feOTkjgRi/5:bwX9l1fDeWrskDgJUzdR8wjT/Sxju

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1768	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1676	setup.exe
1676	setup.exe
1768	ntlhost.exe
1768	ntlhost.exe
1768	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1768	1676	setup.exe	28
PID 1676 wrote to memory of 1768	1676	setup.exe	28
PID 1676 wrote to memory of 1768	1676	setup.exe	28
PID 1676 wrote to memory of 1768	1676	setup.exe	28
PID 1676 wrote to memory of 1768	1676	setup.exe	28
PID 1676 wrote to memory of 1768	1676	setup.exe	28
PID 1676 wrote to memory of 1768	1676	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
267.2MB

MD5
97f832c6621100edc2b722feb6d1b6c9

SHA1
4a9f9b7de0e744a0391f963622fdd6c3e5b564cf

SHA256
372b41ac206334350f3b852ae3d1ac32e4f1bc48ca7c150e7a8232f859dbdbcd

SHA512
e082dd2fa8fd6d861f5a66f890177a25fe3f80f9e2b5f86e063ba293c21187856bcf5d3c6f8ded73702567c7319ee992636b300f6da5e88669d5c7ba2eb1b4c6

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
304.4MB

MD5
e599e9c1924d590e43e4075df619304d

SHA1
1162b6fb5db9d9c6de2a6ecb5eea94e9aa002d45

SHA256
637902e50beb10f0269f2ea109e9c689348ec26213aa60cc48ce9f4ef1384498

SHA512
59110452284898ecab7c0f34dbe4c1bc1b529e61a5dc6567055a721026685897e1e3c9fe5921b4cc4beb611ee30202bd952a537036e55f2665eb369d5fd13fe6

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
292.4MB

MD5
4acbf3e3257afd05f2674447b2178667

SHA1
91cf4d6b573c11354ef01fa474851a79db552fdd

SHA256
8a8151d16a99b85e12b8f9dfced004987906eddc7173f672e72b421fba57734a

SHA512
1627b1b0ecbdd5576c0c35062649b7a90abdfb8ddcf03554bb79d031ccb42d85181f8f2383d0206780202ebf6a9d25160cdb315d093e6f1650a02f327ee9b5e3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
162.4MB

MD5
35d3ff47fd5f3430c3c8cc4678eb040b

SHA1
9ecc8653ad133facafb8c4023d7773d8c01d29ad

SHA256
436b33cab29ec0a051206bc4aefe829c751df6f26eeb115e90ce7529db99178d

SHA512
bb0ec325d6efd8df8971098e544d2b1d9c2c5867825a507cc33c552d413223633953134420eb66810020a05bed419522c6ddb691ce107f747d9ac25709f771bb

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
306.0MB

MD5
14384e9ec4a611d2ef77ffc9dd91f932

SHA1
ec1e9aeef3cd357c6b54a95f11087c9329f92fc8

SHA256
79fbb9cdcd62cb4f2f41bb1d6ced8aaca599ff679ccde14a6d40a3c590d90657

SHA512
28d6fcd2ea933d30ec2a762ec3795495f15ac87185fae12bd5119032d3ad0ffa7a59c60a50a3cf8604ac75d571338d1956383bdd85214a3606f67ef92d634037

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
285.9MB

MD5
46d3b97a539f5d75dfd16af8cce8baf4

SHA1
373906ba9a5f72ed7d669c6f505c2fbc7bd33031

SHA256
6e1f53e8f44582e9f9289282745b6551367cb5c7bfaef2fb16d5462fe617419b

SHA512
f96bf5c1591f091ff2be2bde7dffec51567c8b17366063c394991477fc028f86a703325979abb35edb1ad5a7c25f272495eabd7a361bf359ff11a8ba0bff36d7

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
304.3MB

MD5
58aaf5f89723418156c64c9424430b81

SHA1
5ccbb15c0a12aebed128e04b6d4992d027ab712d

SHA256
7652a95053b680890c4317a458521705471b2407f7d01e74e5cb5392735e516e

SHA512
9125b6d16323bd9ecea9e75fddedd0babb896bfb5f67fd9c26b73fa3a39ee402b2aecb73218df03684c38177f815efb7c1d6e30cd6084fe84e397689c633df7c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
273.9MB

MD5
9de22fa93af155aac96f89b0440d5cb2

SHA1
27efb8bd3e6177dbc9cad4c3dc4b00f1d7529fce

SHA256
01df11782ef79eb96e93c38fa348b80e4432a88d82b1669c32a00c0744f29e02

SHA512
7965f0de2114dadba0a27c849644176c9a11992dca9ebea7db9d3bff9d8f220feef360472fbc2b4a611a0c27534556103ef23865dfa49bacab24275322c0b93d

Download Submit
memory/1676-54-0x0000000002560000-0x000000000270A000-memory.dmp

Filesize
1.7MB

Download
memory/1676-55-0x0000000002710000-0x0000000002AE0000-memory.dmp

Filesize
3.8MB

Download
memory/1676-64-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-70-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-69-0x0000000002460000-0x000000000260A000-memory.dmp

Filesize
1.7MB

Download
memory/1768-71-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-73-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-74-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-75-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-76-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-79-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-80-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-81-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-82-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-83-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1768-84-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing