laplas | 1863e62e713302b15c27801878cc1a085e6e0382bd4cc719e2ecb254d0a43051

Analysis

max time kernel
148s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.9MB
MD5

eaa8dbc48c3f6d5a935141690bed014c
SHA1

5778105a7e42446503dbfc69cbbd20bfd148f444
SHA256

1863e62e713302b15c27801878cc1a085e6e0382bd4cc719e2ecb254d0a43051
SHA512

267e2592dc91cd63ee64824cfc63fe1a42629eac6b35ea7fc5be2169cb8a3d7c6e74b41831f96bfbd87b54ac4d97484e74fddefb2465271ba3f442043f11a111
SSDEEP

24576:dVPcOBkwVC63STHaiNdh8fB8dmwJVoYIlpQI0gneH3Lwk0zcdfKkQE/VQmwzQcGK:dv9LkxdKf25gneH3LwXYKkkXQeoP1w

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

1304 ntlhost.exe

pid	process
1304	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 33 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	33	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 684 wrote to memory of 1304	684	setup.exe	ntlhost.exe
PID 684 wrote to memory of 1304	684	setup.exe	ntlhost.exe
PID 684 wrote to memory of 1304	684	setup.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
810.9MB

MD5
74271f2029c456b8df368566983a8fcc

SHA1
04f52bd88b4337fc411515bc7077024d6f75b430

SHA256
9415598c4d27bcd99a9095ede25eb2d4a60526ef8c2d3ca3c6f2f40247378af3

SHA512
41ebee3008967b3356ea8641212bed4029ed029812eefa59c592fc939bdc641eedb252d42098b05bbb30e69fc25481fd8336b6062a30f8cc5b83380b307237a0

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
810.9MB

MD5
74271f2029c456b8df368566983a8fcc

SHA1
04f52bd88b4337fc411515bc7077024d6f75b430

SHA256
9415598c4d27bcd99a9095ede25eb2d4a60526ef8c2d3ca3c6f2f40247378af3

SHA512
41ebee3008967b3356ea8641212bed4029ed029812eefa59c592fc939bdc641eedb252d42098b05bbb30e69fc25481fd8336b6062a30f8cc5b83380b307237a0

Download Submit
memory/684-134-0x0000000002640000-0x0000000002A10000-memory.dmp

Filesize
3.8MB

Download
memory/684-140-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-145-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-149-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-143-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-144-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-141-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-146-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-148-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-142-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-150-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-151-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-152-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-153-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-154-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1304-155-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download