laplas | 5502d7c1c81714b998f594e523274a828d919f69dc08bffde5fe118918a8f43b

Analysis

max time kernel
141s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

406a0e14b6569ebc5f1086801e043fe1.exe
Size

1.8MB
MD5

406a0e14b6569ebc5f1086801e043fe1
SHA1

b15c199f31dcddcd37f10f143b62f2ff998324c6
SHA256

5502d7c1c81714b998f594e523274a828d919f69dc08bffde5fe118918a8f43b
SHA512

f367e8c6a84192925cad8d7de697435220835de2068bf66fa6e29f59680ea4f74dc42b92a6ba16e27bd71194a4104c0a3e06ecd5a2e484473e8ec9669b1ae65a
SSDEEP

49152:VJGty7g6F2SKtEjjbgitUonmkXhDbl0nXj5:VJzpF2SKtEjfBUChTm5

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

2460 ntlhost.exe

pid	process
2460	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

406a0e14b6569ebc5f1086801e043fe1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	406a0e14b6569ebc5f1086801e043fe1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

406a0e14b6569ebc5f1086801e043fe1.exe

description	pid	process	target process
PID 2132 wrote to memory of 2460	2132	406a0e14b6569ebc5f1086801e043fe1.exe	ntlhost.exe
PID 2132 wrote to memory of 2460	2132	406a0e14b6569ebc5f1086801e043fe1.exe	ntlhost.exe
PID 2132 wrote to memory of 2460	2132	406a0e14b6569ebc5f1086801e043fe1.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\406a0e14b6569ebc5f1086801e043fe1.exe
"C:\Users\Admin\AppData\Local\Temp\406a0e14b6569ebc5f1086801e043fe1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
711.4MB

MD5
826b446de76356c1e62329870e4f5d3e

SHA1
74a8b89c6cbbc7268c77f36c9f5799d86805466f

SHA256
8fc63a0faac0fb681ee2e513cf3d8c62384648e47d99316d80513ae6515efdaa

SHA512
10a5eff545023887203174160fe4ccfe9368fdd0d0e6ecc19a79723a39a094b09e2787a441e3d20748ea89afd1adcec3e7a1132071a522624c91eed71b04fad4

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
705.5MB

MD5
4f150575584246449e72b019f0bbbc25

SHA1
e311c6a6aa850429e1f1940558285cb3d64b7820

SHA256
2f562f62cdd71fd76e1d23dc65b3f85e79173841ae2cdb6f2457bb22790960dc

SHA512
6dccdc94e1e7282abe2fc63451a4138733bb79c2b10cbead6d91854fd6d76bf85bf56b208a2f48887208254ec3b1f095f82eddf90ef4bd44fa589ef7ba88aca6

Download Submit
memory/2132-134-0x0000000002850000-0x0000000002C20000-memory.dmp

Filesize
3.8MB

Download
memory/2132-136-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2132-139-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2460-144-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2460-142-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2460-146-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2460-147-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2460-148-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2460-149-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2460-152-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2460-153-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/2460-154-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download