laplas | dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c

General

Target

6b4854e6cad19b61eda6eb5e68dcfd80.exe
Size

1.9MB
MD5

6b4854e6cad19b61eda6eb5e68dcfd80
SHA1

f9d95d56f4a68a997154b2e9bc7a362cc1a1dc36
SHA256

dcd60ec48ce671c27c2dd6abac75f015e64d5eeb1fdefe9a85bb706e99f2071c
SHA512

bd48825e56e677026c6a6f5d6b74b4bd3f42eeacce2e4b9ec47a6e961ecc4ac692aa3e1b640f6f6ab41c4e0b0403bf8e4f098af12ea3f8366650b7e9576263f9
SSDEEP

49152:ockHSWlipdOYnk04IoVMWPxpCP9I8VYiFFTMQheFE06PXqQ:RkHSWlaOYk9IoVhPxpCP9I8JFFZh3a

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1692	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	6b4854e6cad19b61eda6eb5e68dcfd80.exe
1988	6b4854e6cad19b61eda6eb5e68dcfd80.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	6b4854e6cad19b61eda6eb5e68dcfd80.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1692	1988	6b4854e6cad19b61eda6eb5e68dcfd80.exe	28
PID 1988 wrote to memory of 1692	1988	6b4854e6cad19b61eda6eb5e68dcfd80.exe	28
PID 1988 wrote to memory of 1692	1988	6b4854e6cad19b61eda6eb5e68dcfd80.exe	28
PID 1988 wrote to memory of 1692	1988	6b4854e6cad19b61eda6eb5e68dcfd80.exe	28

C:\Users\Admin\AppData\Local\Temp\6b4854e6cad19b61eda6eb5e68dcfd80.exe
"C:\Users\Admin\AppData\Local\Temp\6b4854e6cad19b61eda6eb5e68dcfd80.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
524.1MB

MD5
056a8cda641c324b9925e10bd217d886

SHA1
bfba10c943704805996916e1795019b902035c02

SHA256
1f971a3ceca0b77bccfce02b334b9778079dd09bc26ace167bb1a2a52b495e98

SHA512
ce87e8823b795b5056088f17fe3d3d147484a0f30d6edbf2fa7070fea5cb13e941f4de1f0e55be357eb79289d10fed68de1d6a66275c9ccfea21f34ada096891

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
643.6MB

MD5
bb505df4c47fbb09ddfb963bd7ade7b7

SHA1
9070a8beaedb09f916d4c7ad63d7daa08c93cb0f

SHA256
696ab759b8ca90f1d6d139b2bca3ba5b84e2ca7ad8ea0a3779ca04fd65501c88

SHA512
6fb51a9b7239f4cb938055f2d85f0b1e37a24472fb2cc8983eeee45f3ea26c9998dd9769b96c38857fda44758e3cb6d588b39a08e3c0a44134b560e0459af048

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
432.9MB

MD5
ee4a506c920a97780ee565513f126a54

SHA1
50b21c8886ea406ea03b88dacd0155eadc053df7

SHA256
4e37d112d548ce8e2e475b90ec00c8e1399c742e364d161b117a14fcd19f845f

SHA512
f737815087218eeee0f6945657551681fe880fa4b5b989bec8d5b53d04186c4c9de26d742ffe10b5afb6818784026dd4f68b0352b68b5efcc0f10990280313d7

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
621.8MB

MD5
e10730ed525ca96bcc3d7ad69ed97453

SHA1
3d3669ab6663f0950f1b059f6b563bd2a6e787f3

SHA256
0d5cfd58e676fd386054fa645818c549ff5fdbcdc5939b208fc69d409c6314a4

SHA512
b2dcd4f96630523dbcf263fd7d751f040c061d0581134979f574e3452d013923faee68c14a3897621250f8b742b79781fcb6f5ad973906daa5b039d24e2fda05

Download Submit
memory/1692-66-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-76-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-80-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-65-0x00000000021E0000-0x000000000238A000-memory.dmp

Filesize
1.7MB

Download
memory/1692-79-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-68-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-71-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-72-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-73-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-74-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-78-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1692-77-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1988-64-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1988-54-0x0000000002090000-0x000000000223A000-memory.dmp

Filesize
1.7MB

Download
memory/1988-55-0x0000000002240000-0x0000000002610000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing