Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
22-03-2023 01:15
General
-
Target
setup.exe
-
Size
1.8MB
-
MD5
f465d008c8ac27c3946376b5a5a9f5f9
-
SHA1
614b5376bfb761e2177af0b5c097081d31689883
-
SHA256
483fde1fba538fd23eff241ac85960f2710850c8bcb7bde0024e298d065fc01d
-
SHA512
beaca0330c79e27a2eae1770cf448e4e021d0aab6f918bc97e848d1ced85cd7d2fab00841abc65dc53ebb973a21b2efdaa1d94d6a7a01428ceb0456ebcb1f79e
-
SSDEEP
49152:W7WhJ7cYDtLPUx4Pz6zqhxldCkVjBVn9:WkN7xIq+zqh7wkrVn
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Program crash 1 IoCs
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 7922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2276 -ip 22761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
840.8MB
MD575c22f17e6dee844a1b7241524d0fedd
SHA190c3bb267012f72bf82ab1e7be2ac266651b33f5
SHA256f93282f8bedb41d86355f53017ca65b8171617cd70c5d9793c6356411421fdce
SHA51215de93a2050508d4ab0fabc4950d1dc1a57d4bc8843148005c2d6c0692ef04c596162f49f2a1833df998f77de1747ebca4fa730b11c9a023a8d4985138df1237
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
840.8MB
MD575c22f17e6dee844a1b7241524d0fedd
SHA190c3bb267012f72bf82ab1e7be2ac266651b33f5
SHA256f93282f8bedb41d86355f53017ca65b8171617cd70c5d9793c6356411421fdce
SHA51215de93a2050508d4ab0fabc4950d1dc1a57d4bc8843148005c2d6c0692ef04c596162f49f2a1833df998f77de1747ebca4fa730b11c9a023a8d4985138df1237
-
memory/2276-134-0x0000000002730000-0x0000000002B00000-memory.dmpFilesize
3.8MB
-
memory/2276-140-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-146-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-149-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-143-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-145-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-141-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-147-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-148-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-142-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-150-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-151-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-152-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-153-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-154-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB
-
memory/2336-155-0x0000000000400000-0x0000000000898000-memory.dmpFilesize
4.6MB