laplas | 5c7cb9a9b08fcef3597ee3c317d52e202895aaa9387727e7c68941740c8938b1

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.9MB
MD5

d6303b5e2715697555ca0a3fc515cf9a
SHA1

6f3237546882a9363184b5450cd9806e65be1834
SHA256

5c7cb9a9b08fcef3597ee3c317d52e202895aaa9387727e7c68941740c8938b1
SHA512

675dda1890f44de32b63946f2a9cad5a65b2cc50fe55152756f2abc3238c495faea1dec89e5bbcf181fb1cc6e3c709c1e8bfc5deae3cec8b835f3696252c9e76
SSDEEP

49152:wyLf8FgO/T2/mQgLqaUO5EDkbw1etC8wZkg:jD8Fg//m3Lqa3AktKkg

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

1900 ntlhost.exe

pid	process
1900	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 1460 wrote to memory of 1900	1460	setup.exe	ntlhost.exe
PID 1460 wrote to memory of 1900	1460	setup.exe	ntlhost.exe
PID 1460 wrote to memory of 1900	1460	setup.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
836.9MB

MD5
61a0dd6add474f53b893786bf5cc2aab

SHA1
b2b3273a12899a3bc15095331e1fb04db49c2e17

SHA256
369d86157e1973b61cbcd6674c7a7bafa0ebe0986050b0dad538be5f13d47435

SHA512
7a3f03f25704ccbc4d1cee8c856def6483e97cd3cb33e35ff72e07a5749d31deb19cb94035ba068d01e2c0db8a96cd48bca31d2f59a1fe3fa0af97483dfb52e1

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
836.9MB

MD5
61a0dd6add474f53b893786bf5cc2aab

SHA1
b2b3273a12899a3bc15095331e1fb04db49c2e17

SHA256
369d86157e1973b61cbcd6674c7a7bafa0ebe0986050b0dad538be5f13d47435

SHA512
7a3f03f25704ccbc4d1cee8c856def6483e97cd3cb33e35ff72e07a5749d31deb19cb94035ba068d01e2c0db8a96cd48bca31d2f59a1fe3fa0af97483dfb52e1

Download Submit
memory/1460-134-0x0000000002570000-0x0000000002940000-memory.dmp

Filesize
3.8MB

Download
memory/1460-139-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-145-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-143-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-141-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-146-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-147-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-148-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-150-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-151-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-152-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-153-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1900-154-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download