laplas | 5c7cb9a9b08fcef3597ee3c317d52e202895aaa9387727e7c68941740c8938b1

General

Target

setup.exe
Size

1.9MB
MD5

d6303b5e2715697555ca0a3fc515cf9a
SHA1

6f3237546882a9363184b5450cd9806e65be1834
SHA256

5c7cb9a9b08fcef3597ee3c317d52e202895aaa9387727e7c68941740c8938b1
SHA512

675dda1890f44de32b63946f2a9cad5a65b2cc50fe55152756f2abc3238c495faea1dec89e5bbcf181fb1cc6e3c709c1e8bfc5deae3cec8b835f3696252c9e76
SSDEEP

49152:wyLf8FgO/T2/mQgLqaUO5EDkbw1etC8wZkg:jD8Fg//m3Lqa3AktKkg

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

1540 ntlhost.exe
Loads dropped DLL 5 IoCs

Processes:

setup.exentlhost.exe

pid process

1604 setup.exe
1604 setup.exe
1540 ntlhost.exe
1540 ntlhost.exe
1540 ntlhost.exe

pid	process
1540	ntlhost.exe

pid	process
1604	setup.exe
1604	setup.exe
1540	ntlhost.exe
1540	ntlhost.exe
1540	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 1604 wrote to memory of 1540	1604	setup.exe	ntlhost.exe
PID 1604 wrote to memory of 1540	1604	setup.exe	ntlhost.exe
PID 1604 wrote to memory of 1540	1604	setup.exe	ntlhost.exe
PID 1604 wrote to memory of 1540	1604	setup.exe	ntlhost.exe
PID 1604 wrote to memory of 1540	1604	setup.exe	ntlhost.exe
PID 1604 wrote to memory of 1540	1604	setup.exe	ntlhost.exe
PID 1604 wrote to memory of 1540	1604	setup.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
268.8MB

MD5
1c7032aefb356aec024a09aeedfae336

SHA1
091d6da027fdbdd4b9a0acd80c22ea18754d12ce

SHA256
0d85e748dc7848e825b409b98655c332f147db4f0984530f70c8faad437609a3

SHA512
8744e2d11969fdad31bcd00a6777f844dfb0d1515ab6e238b2e3862d73974186ff90853f19348bae3a517962a76af332e9cdeaba3323fffab8ea984336277531

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
265.9MB

MD5
2cb88c764fb56a0bed5590e49c0169e0

SHA1
a35929d0c150b6de73499f865af8237ce8904787

SHA256
b823c9fa2487c80f2e13a26f9366a560cf8aafeaf5237aacd55794712c8cf794

SHA512
c96d44dd38babff7c023822f28a059d8d4f57b78fe99ea88fd23f331c8bbe19484b485d6e84b9a44d5c5fa8384bd9c500beba66414e1037922fc366f76159c90

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
332.2MB

MD5
af09fc80c9652165921a5cec4b360eb2

SHA1
2787f315efe91259189f845283cd9f31ed190b57

SHA256
0c771a0ed19a343b8fa3a269789a1a703a8bcda059bd5f0c217afae2b28a646e

SHA512
bc4a662ed88f0489c2bb839fcf477b88828c53d9f006c3b2d73290fbe63669dc8fe766d2647e1841f2182b2803c3bf2db3b3b89a7ad2b4c7313ce0881aecfab6

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
180.1MB

MD5
484c58b5a65258787a9f01f94af520f7

SHA1
1fc7a235508c9c2417d11c289f4832de74fdc317

SHA256
4dfb04ab14643d869fea8da6f111aaca419322e013c0df615eaec54169f4f30a

SHA512
3646e19f5a328015670890191a6ace8eaf18fb17d624b025248f33f75a7132b6bd396e47debd1b8c9831dec3619b10b2a92296766844054e72a5f2cc5001c1ab

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
311.1MB

MD5
0597bede71746fb588a09ee1bd94421d

SHA1
f18723ae847f2134428566eaf27a4a209e0c7f9b

SHA256
88b4213cfa22bd30820ed127b706c54367d8f1d0c152e7327ddfaa7d56d18bbe

SHA512
fb77a32d6753d3ded03b292029d85a58c29b9a9fe8f1f7c509ec05b73315d6c5f3fd8a021457c222021188faf67fdff2a5f70ae21806493027c83f2567b4a79f

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
305.3MB

MD5
9b0380f9d9d5698ef4a1d302245f73f2

SHA1
e6aa20c0e18f64773bdc4dbce4d7cf91fe353b4d

SHA256
a2118d98cbf6fe89f6334bcfb1186f07887186d8e0b7bec931f1e3f0fe090cc8

SHA512
3155f5597dbab97f05a64aca5228b65e457875d1d615bea28df9b8cee665fb9c857c615faaf7d73e55f138a2dde5789d22c8d19ca846caaffdc206ed1f676536

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
307.1MB

MD5
e97ed76dea6f89c3ddd930092badf01f

SHA1
8cde00525360183640163c63562fe3934d4337e0

SHA256
e4e4a7090c244e9812637128a9455fffe2e6458b7fe92d2b5dbb107517c04195

SHA512
c3bdbb63b58b304c061c4f66c543b120294e51b69e9f765c23ba067c261e0b69b8f06981371da9b540484102718b02b3e4a7d8aac99fe676c40a46fc59fdaee3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
320.9MB

MD5
7ed128d57be358857f2ba009417e4667

SHA1
bb9d1686175fb1150416e1a4b7eb33d0c0a6af74

SHA256
276f28e4257bbb9789b18b5dc5403ad2d7537a393d165132072b1ab2d89abb69

SHA512
136bf48c18238a89f77614e7aa550a7a987c3092b5f84ee370728dbef6a78caca32f8eb720cc39e356c077743948f0f35ba1611cc6c6af05263dce8d5a73e8d9

Download Submit
memory/1540-77-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1540-80-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1540-84-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1540-70-0x0000000002310000-0x00000000024BA000-memory.dmp

Filesize
1.7MB

Download
memory/1540-71-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1540-72-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1540-74-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1540-83-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1540-78-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1540-79-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1540-82-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1604-55-0x0000000002510000-0x00000000028E0000-memory.dmp

Filesize
3.8MB

Download
memory/1604-54-0x0000000002360000-0x000000000250A000-memory.dmp

Filesize
1.7MB

Download
memory/1604-68-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing