laplas | 1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20

General

Target

1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe
Size

360KB
MD5

3011d8256ead8820223359556ec2c85b
SHA1

403343881d8440f0cae73e82bc41b32c8b9d4816
SHA256

1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20
SHA512

49259be1b24ddb1607a78f4760bc937dff58917984a473101f0c5b27e363e90dad72455314e8725832238785dd3b84454637b5018ce0c434a7c6b90f58a5ab3d
SSDEEP

3072:040TlxQfw/y/7juaehfHY1Agbv6oL4OHkfk235cDk5v0WKSNyg/fbakoggwn0JV:O8myVs/Al4OHU3ODkJU6f2E

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe

Executes dropped EXE 2 IoCs

pid	Process
3672	AKFIDHDGIE.exe
4548	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe
1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	AKFIDHDGIE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2020	1772	WerFault.exe	83

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2712	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	38	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe
1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 4544	1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe	87
PID 1772 wrote to memory of 4544	1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe	87
PID 1772 wrote to memory of 4544	1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe	87
PID 1772 wrote to memory of 3892	1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe	89
PID 1772 wrote to memory of 3892	1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe	89
PID 1772 wrote to memory of 3892	1772	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe	89
PID 3892 wrote to memory of 2712	3892	cmd.exe	93
PID 3892 wrote to memory of 2712	3892	cmd.exe	93
PID 3892 wrote to memory of 2712	3892	cmd.exe	93
PID 4544 wrote to memory of 3672	4544	cmd.exe	92
PID 4544 wrote to memory of 3672	4544	cmd.exe	92
PID 4544 wrote to memory of 3672	4544	cmd.exe	92
PID 3672 wrote to memory of 4548	3672	AKFIDHDGIE.exe	98
PID 3672 wrote to memory of 4548	3672	AKFIDHDGIE.exe	98
PID 3672 wrote to memory of 4548	3672	AKFIDHDGIE.exe	98

C:\Users\Admin\AppData\Local\Temp\1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe
"C:\Users\Admin\AppData\Local\Temp\1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe
    "C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:4548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:2712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 2220
  2⤵
  - Program crash
  PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1772 -ip 1772
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe

Filesize
1.9MB

MD5
6b4854e6cad19b61eda6eb5e68dcfd80

SHA1
f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

SHA256
dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

SHA512
bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe

Filesize
1.9MB

MD5
6b4854e6cad19b61eda6eb5e68dcfd80

SHA1
f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

SHA256
dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

SHA512
bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
799.1MB

MD5
ace39db68ff9455a91d061be41b11427

SHA1
1ad0482cd15f0f8676a084047c65587ee0660bc2

SHA256
50e305435f5d7381b13f274f80bf5052b22a456866b6d3f9f380a242a0da4f38

SHA512
0a97723c18575f35f0aece7392d5fd2840e567d1efc261f04b2e00563ba3ae098b18d2c0081bfce3036c2d4340041972dadd098562fa61079c94504716eb6f39

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
660.6MB

MD5
05dc7604607fec17a9009e778bfe10b8

SHA1
010809f4acd87e8d2598a1c385321f1563c9eeb7

SHA256
17ca477b4d5dc9208f070e06707ed9907cc67345dd23c3cfc77489b2bb41b8a8

SHA512
4b5c5a21553b23ff29516f8c022cc5b29b75ed08c4fc23c79b089a14bd632e7fa2dbbac5a623e991f44ad422d25f9d23ecbde1ac63b3ecfdbebaf6ff8cc04dd3

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
755.2MB

MD5
5669b4370542adb3299af780fd897175

SHA1
6e89483e3db9dac0f9d166e9f716fb189be6cb4b

SHA256
509e7c0f0c08929454b58a1ee583b8467e5a5855f8d4e2fcf842592ded95b151

SHA512
643ad52710dc01780380371cd8793b59d3d96abc17338ab8bc368876cdbcf3bded5d845abd8431e6ac243d2bcb522a164043119ffe1dbbed1595188ee518df6e

Download Submit
memory/1772-206-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1772-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1772-134-0x00000000007C0000-0x00000000007D5000-memory.dmp

Filesize
84KB

Download
memory/3672-207-0x0000000002680000-0x0000000002A50000-memory.dmp

Filesize
3.8MB

Download
memory/3672-209-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3672-211-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-216-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-215-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-217-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-219-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-220-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-221-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-222-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-223-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-224-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-225-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-226-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4548-227-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads