laplas | 1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20

Analysis

max time kernel
132s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3011d8256ead8820223359556ec2c85b.exe
Size

360KB
MD5

3011d8256ead8820223359556ec2c85b
SHA1

403343881d8440f0cae73e82bc41b32c8b9d4816
SHA256

1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20
SHA512

49259be1b24ddb1607a78f4760bc937dff58917984a473101f0c5b27e363e90dad72455314e8725832238785dd3b84454637b5018ce0c434a7c6b90f58a5ab3d
SSDEEP

3072:040TlxQfw/y/7juaehfHY1Agbv6oL4OHkfk235cDk5v0WKSNyg/fbakoggwn0JV:O8myVs/Al4OHU3ODkJU6f2E

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1268 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

FBKJDGCGDA.exentlhost.exe

pid process

1712 FBKJDGCGDA.exe
1844 ntlhost.exe
Loads dropped DLL 6 IoCs

Processes:

3011d8256ead8820223359556ec2c85b.execmd.exeFBKJDGCGDA.exe

pid process

1320 3011d8256ead8820223359556ec2c85b.exe
1320 3011d8256ead8820223359556ec2c85b.exe
1372 cmd.exe
1372 cmd.exe
1712 FBKJDGCGDA.exe
1712 FBKJDGCGDA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1268	cmd.exe

pid	process
1712	FBKJDGCGDA.exe
1844	ntlhost.exe

pid	process
1320	3011d8256ead8820223359556ec2c85b.exe
1320	3011d8256ead8820223359556ec2c85b.exe
1372	cmd.exe
1372	cmd.exe
1712	FBKJDGCGDA.exe
1712	FBKJDGCGDA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FBKJDGCGDA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	FBKJDGCGDA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3011d8256ead8820223359556ec2c85b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3011d8256ead8820223359556ec2c85b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3011d8256ead8820223359556ec2c85b.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1760 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 5 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3011d8256ead8820223359556ec2c85b.exe

pid process

1320 3011d8256ead8820223359556ec2c85b.exe

pid	process
1760	timeout.exe

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

pid	process
1320	3011d8256ead8820223359556ec2c85b.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3011d8256ead8820223359556ec2c85b.execmd.execmd.exeFBKJDGCGDA.exe

description	pid	process	target process
PID 1320 wrote to memory of 1372	1320	3011d8256ead8820223359556ec2c85b.exe	cmd.exe
PID 1320 wrote to memory of 1372	1320	3011d8256ead8820223359556ec2c85b.exe	cmd.exe
PID 1320 wrote to memory of 1372	1320	3011d8256ead8820223359556ec2c85b.exe	cmd.exe
PID 1320 wrote to memory of 1372	1320	3011d8256ead8820223359556ec2c85b.exe	cmd.exe
PID 1320 wrote to memory of 1268	1320	3011d8256ead8820223359556ec2c85b.exe	cmd.exe
PID 1320 wrote to memory of 1268	1320	3011d8256ead8820223359556ec2c85b.exe	cmd.exe
PID 1320 wrote to memory of 1268	1320	3011d8256ead8820223359556ec2c85b.exe	cmd.exe
PID 1320 wrote to memory of 1268	1320	3011d8256ead8820223359556ec2c85b.exe	cmd.exe
PID 1268 wrote to memory of 1760	1268	cmd.exe	timeout.exe
PID 1268 wrote to memory of 1760	1268	cmd.exe	timeout.exe
PID 1268 wrote to memory of 1760	1268	cmd.exe	timeout.exe
PID 1268 wrote to memory of 1760	1268	cmd.exe	timeout.exe
PID 1372 wrote to memory of 1712	1372	cmd.exe	FBKJDGCGDA.exe
PID 1372 wrote to memory of 1712	1372	cmd.exe	FBKJDGCGDA.exe
PID 1372 wrote to memory of 1712	1372	cmd.exe	FBKJDGCGDA.exe
PID 1372 wrote to memory of 1712	1372	cmd.exe	FBKJDGCGDA.exe
PID 1712 wrote to memory of 1844	1712	FBKJDGCGDA.exe	ntlhost.exe
PID 1712 wrote to memory of 1844	1712	FBKJDGCGDA.exe	ntlhost.exe
PID 1712 wrote to memory of 1844	1712	FBKJDGCGDA.exe	ntlhost.exe
PID 1712 wrote to memory of 1844	1712	FBKJDGCGDA.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\3011d8256ead8820223359556ec2c85b.exe
"C:\Users\Admin\AppData\Local\Temp\3011d8256ead8820223359556ec2c85b.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
"C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
4⤵
- Executes dropped EXE
PID:1844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3011d8256ead8820223359556ec2c85b.exe" & del "C:\ProgramData\*.dll"" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
Filesize
1.9MB

MD5
6b4854e6cad19b61eda6eb5e68dcfd80

SHA1
f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

SHA256
dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

SHA512
bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
Filesize
1.9MB

MD5
6b4854e6cad19b61eda6eb5e68dcfd80

SHA1
f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

SHA256
dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

SHA512
bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
443.2MB

MD5
0f4ef0c7d302d1acd3f9b3bc49faa62c

SHA1
0dc90899e9a4a99d8fb752cb1952d2cc53c80064

SHA256
18102994309df6185a890756ecf480b7110904056047e1ca7bd153eeb6df898c

SHA512
fa51c4c7c06011282d8f1832f9b733e430e909a6f88db84b28b1fa4813ebaafb3fee5bf12e50a92106e6c54c4f5aa213ffc312bcccc71cc834390e65cb8a6d84

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
349.0MB

MD5
da2877a0cbe80bbcb04e19a97c245890

SHA1
1b16d38ceab1af28237b671b50d950fa2eb2c3f5

SHA256
a08f0e789df4cd970fffc6a07d3c5d93c6010231cdaef3bbba34ca79979c340a

SHA512
e18797117993e56965cd3dc4c27801a19691605f42656cd72b2674cd049a978fc2a67e8edb953be4c2dab63ba7005475d529aceb03823ad91b234d903d2c513e

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
Filesize
1.9MB

MD5
6b4854e6cad19b61eda6eb5e68dcfd80

SHA1
f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

SHA256
dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

SHA512
bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

Download Submit
\Users\Admin\AppData\Local\Temp\FBKJDGCGDA.exe
Filesize
1.9MB

MD5
6b4854e6cad19b61eda6eb5e68dcfd80

SHA1
f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36

SHA256
dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

SHA512
bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
428.9MB

MD5
a4c063ccd80fe16d524ff98a43a8e9dc

SHA1
24777bc1dc2436546fc8f79ba1f0e202e0d88988

SHA256
05a37d215c9497cf625a0982d7040e5474a13f602137259504ff4487d0c2a483

SHA512
897325d7a46e2771249c218015a29f3fdf86a567897376e06bbc924274e0280c7829b13475b2ae5405e9776b6724be1860fefd66daf663353d5ac9d4f12b5dec

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
419.5MB

MD5
e35f8990bf0c669903e2856c08823d3f

SHA1
0ca22148d2ce70eeeb208270892af0594fddee77

SHA256
24705623be57a2eadfeb6b3d042ed55dc9613988e031d1edb431abec21926478

SHA512
dc916f508dda1964386d39bffe3aa832004d66fccaccf5427cb956be1e3d25ea44ee413f4bbf9763559f0193daa7f0d9a50a5e5f2ba1a2acbc75b678eb425fd0

Download Submit
memory/1320-119-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1320-115-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1320-55-0x00000000003A0000-0x00000000003B5000-memory.dmp

Filesize
84KB

Download
memory/1320-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1712-134-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1712-125-0x0000000002460000-0x0000000002830000-memory.dmp

Filesize
3.8MB

Download
memory/1712-124-0x00000000022B0000-0x000000000245A000-memory.dmp

Filesize
1.7MB

Download
memory/1844-140-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-136-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-137-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-138-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-135-0x00000000021B0000-0x000000000235A000-memory.dmp

Filesize
1.7MB

Download
memory/1844-141-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-142-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-144-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-145-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-146-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-147-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1844-148-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download