laplas | 483fde1fba538fd23eff241ac85960f2710850c8bcb7bde0024e298d065fc01d

General

Target

setup.exe
Size

1.8MB
MD5

f465d008c8ac27c3946376b5a5a9f5f9
SHA1

614b5376bfb761e2177af0b5c097081d31689883
SHA256

483fde1fba538fd23eff241ac85960f2710850c8bcb7bde0024e298d065fc01d
SHA512

beaca0330c79e27a2eae1770cf448e4e021d0aab6f918bc97e848d1ced85cd7d2fab00841abc65dc53ebb973a21b2efdaa1d94d6a7a01428ceb0456ebcb1f79e
SSDEEP

49152:W7WhJ7cYDtLPUx4Pz6zqhxldCkVjBVn9:WkN7xIq+zqh7wkrVn

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

1360 ntlhost.exe
Loads dropped DLL 5 IoCs

Processes:

setup.exentlhost.exe

pid process

1540 setup.exe
1540 setup.exe
1360 ntlhost.exe
1360 ntlhost.exe
1360 ntlhost.exe

pid	process
1360	ntlhost.exe

pid	process
1540	setup.exe
1540	setup.exe
1360	ntlhost.exe
1360	ntlhost.exe
1360	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 1 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 1540 wrote to memory of 1360	1540	setup.exe	ntlhost.exe
PID 1540 wrote to memory of 1360	1540	setup.exe	ntlhost.exe
PID 1540 wrote to memory of 1360	1540	setup.exe	ntlhost.exe
PID 1540 wrote to memory of 1360	1540	setup.exe	ntlhost.exe
PID 1540 wrote to memory of 1360	1540	setup.exe	ntlhost.exe
PID 1540 wrote to memory of 1360	1540	setup.exe	ntlhost.exe
PID 1540 wrote to memory of 1360	1540	setup.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
305.7MB

MD5
c08da0317cdcefcb67d8ca4420eb8327

SHA1
07b8e2fcd14794fe1f99f27073bd51ddd0a80502

SHA256
83e8579763feeaa289a71aec5d9e4addbb19c19263b4af9a42e589d62d8075b8

SHA512
d45e87c707e229aac140ead2ef9d5e71fe111288fd96c28472c6468966374350a3e76d5cc24eed6ee9fc3a5c625c4e827512206ea59e8c01fedd8791eb4907bf

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
295.7MB

MD5
2edab75395edc059692c8e113a637463

SHA1
7e9e4b57e5133038a08d85a0b19f736e5f61b2ad

SHA256
5b34fe89dae91caf0951c7c76218e5e1969db4c68c56eabde67fa86399ce39c6

SHA512
9cddd36b1325bc19fdfcdcfd439ad87e192395c1fa4378c4e52a4c4518d0bd27c2b2f68f4e322b761794ac680635695830fbe2c45ba5d0fa8d59d98f446a2510

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
306.4MB

MD5
1015990a964d24c729f425df692a05ca

SHA1
810ce02b98d4d4ce58ef7b41d981920c19e1c2d3

SHA256
9907c0bd228a88c9bd71052ab2a11170110ff580ab47e14ac03ab6b54d2c30bf

SHA512
c5b19c77c6408153e4dc0a258b76c40baffdac0655ae9cbbacb99f35efa301d1369ae58323e5de344492968dd26244dc14032b8efbef39b0c4cde8c059133934

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
160.9MB

MD5
a94472ebeb08abbf649c6e34d8083bbf

SHA1
f9ea07e69fa98e552ee232e334e13bf8736d295f

SHA256
e0b8d12886e974a9e2af78a03fea3e6e47122791094e5c337c2fc1c6830e2e8a

SHA512
34e64c64df8c82ba8359e8c8e479b4e9da5c4ca95efd842b528b7109df335611550f12c0a7240463f02115f08d9b03b48dbfb382bd4a79d9adbe8abffeb569e3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
164.6MB

MD5
14853e09d1b27ac33420959db9d08811

SHA1
23bef01cda73fee217b2f6033e2439a86018c872

SHA256
da0fb046844b5125e70fe667768628dc0fec2416620c07f7198a4bea6235da74

SHA512
e39e10f8652d4f6ed518897cdda6179bcb407d710668cb9e120c3d452fa09d36d1fdf353fc7139f855404d07a5cafe6b7ddef4cbe60dda2001e646b16638309a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
301.1MB

MD5
5b3767d48489d2092cbdd843cc576f98

SHA1
70a9b889954482e50cab3e64fa00abb50afa8cde

SHA256
3371f2ff80bc954fc596d26679708e4862fca0859a53250d587b9975a2972dbc

SHA512
205087ae054ebbafd9837316f05785166d952e8c5ec412c4f99b7c7bfa23365f60086fdadde871385948bb861073598ce7f811d3432317b2e2b3b84c09661d50

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
304.8MB

MD5
6a60740587996ac32b298f483157ffe7

SHA1
15b73603c2b0927bd62606184b3f85a86e5d9dd8

SHA256
a3a9ccb88f90ea6027360f693aed29f17fc8234f450aae4cf13a3ecda2201ab5

SHA512
ee5b292e6d0f95c49c28c8515a2c8896e6e5adbdaf2e53105c6a005876d7ff70e3e977bae3e54f54ec212909b05aeaf11a356c70b5906058ddede81f8851946e

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
301.9MB

MD5
2e522979c625bfca981f6f781fb0392f

SHA1
ee9f6ccbe45628be2640dd0731d6d6e5940332a5

SHA256
35560cc8b45b2e45c948f2ee3e1f76c99249cdc3dcc905355125c02a06f7a874

SHA512
77ee56305c47ff8a88ca16d7dc08b7e7b308dc2113b94225ac34f8264d942645a97b84ab139cab07990ecbb9c33a23778570d31a2a3002e3d88e8519ef4c06c5

Download Submit
memory/1360-70-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-77-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-84-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-69-0x00000000021F0000-0x000000000239A000-memory.dmp

Filesize
1.7MB

Download
memory/1360-83-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-71-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-72-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-75-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-76-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-82-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-78-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-79-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-80-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1360-81-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1540-67-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/1540-54-0x0000000002260000-0x000000000240A000-memory.dmp

Filesize
1.7MB

Download
memory/1540-55-0x0000000002410000-0x00000000027E0000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing