laplas | dccb7a134aae7970fc13ab3db3737b62b733ba33627945a1d5cdf61870ff4842

Resubmissions

24/03/2023, 20:03

230324-ys4tlsha78 10

23/03/2023, 01:54

230323-cbjw8aeg4v 10

Analysis

max time kernel
140s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/03/2023, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.9MB
MD5

c744e2d74b828c767877c52e125087af
SHA1

444809a0b355b365fadc03e50ac577b1b1fa50eb
SHA256

dccb7a134aae7970fc13ab3db3737b62b733ba33627945a1d5cdf61870ff4842
SHA512

084e0f42ecb98a1915db1128a704a1650b07e7acffc4852cadc9684dfd643619e1668ab7ef83321483a2eaeadcd83e58379cd4db3e11a4085d74ee42bb095fff
SSDEEP

49152:xKcn0Cjj3zONh6qrCf2TXEUPsNq3WVAThDWZaXQZh8:ocdDZqCIbPzWVyhDWZaXQZh

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
304	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1400	setup.exe
1400	setup.exe
304	ntlhost.exe
304	ntlhost.exe
304	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 304	1400	setup.exe	27
PID 1400 wrote to memory of 304	1400	setup.exe	27
PID 1400 wrote to memory of 304	1400	setup.exe	27
PID 1400 wrote to memory of 304	1400	setup.exe	27
PID 1400 wrote to memory of 304	1400	setup.exe	27
PID 1400 wrote to memory of 304	1400	setup.exe	27
PID 1400 wrote to memory of 304	1400	setup.exe	27

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
314.2MB

MD5
db1b3621448d18d9291f25e4790557dc

SHA1
b3a411a3664504ac1503a80d7d8958af94c6441b

SHA256
0e18c9b9165f0a329e515057e01b296c24851079357434c6faf0a76238f5d8b3

SHA512
548828890b9e8cf795e44c0ab8dd43440aa94fc837e3153feac8d94e52becfc26aad051ed7e28dc004640803b006b894ae6727db321afcb4c347799e5c2eea1d

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
302.7MB

MD5
075221955b05988aaf1563bc717b055d

SHA1
9008fad254062ee431bfe0e3995b803db2edd5c3

SHA256
91a8e1af64f375c204894a0ea1946b6dcc034ae9ef2e780dccbb7846184748ac

SHA512
023c9ef66c8a98c41aa299b4c02f929af64995963da36ad1e364104b7b8897bdc3e7ea14f869989160d5ba694bc025f6d85d494ad263463429e183c315982daa

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
319.7MB

MD5
30c741891fc77ed4906c3be5f031b3bf

SHA1
70328bcecdaa18833f71a8423e5dc8cdc383797a

SHA256
f08c24a26db8fa0f002716c3cdc5475b33f9350ac0caf972bab36f0919ba2460

SHA512
985c637cb836d3ac259336c5559eda74fb114b087925ac8c55a588e9976cfb76cf12783bf71d5961cc2c09c7ccda5e5ffe340feb885f301ba6604fc0acc9ca22

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
166.5MB

MD5
590deab98b532131fda6ec56453ddea5

SHA1
8250bfa581ac35e73e36c6bdddef2582895738cc

SHA256
4fb83f8473af53cbc20e3f470d841dfa6fb42dc3abf96a0036916c3a73b8b722

SHA512
dffc9121c987fa87afa440ff7ed16ac392a47079e4abbc1c9522148599e46dc241e01ac2948b9f8ab4e5d234469fe45ae0df6512a3f81bc8fcc63c454c845a1e

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
301.9MB

MD5
3de00f7475ce4c005ed0738c17b49364

SHA1
62b8d60154f78f678d375e1a6ad76cd427a7c594

SHA256
e59dbf241ff4bf1fb7a36e8df62acdcabb2419a286382b3fc9c30d3a23eea0c5

SHA512
ddd0e0a053eb1cde083a68a743126b9b1c416db7adac46f79a54e9b043f2355840662cfac713e52f3be9273c0b594ff5453c99e36c87fc1df6b72cf4a8f178b5

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
303.4MB

MD5
e64b2b33dd0702556d7031ac7b582545

SHA1
89e22ce3c0d7812cb165363c73e6a7ba10ae30ad

SHA256
782d440ee5d5f74f8384c124715e69276823748933425e8f828675b782cd9b63

SHA512
2c85d80e202062a69d8a72f5c656ab01b8f4d0d09e55f0c21350cb0782613bac72a03b4a6dbc47f382167b350247cac8458eddc1f78d4a231b73a807649f79dd

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
316.0MB

MD5
10678a95ee3e389513f7a46c2e45c491

SHA1
940d3b15a139c1d04ab0bb682970e129232c6ddd

SHA256
6c486f8fb598ad768090fd3a3761c9bc837847ed5c5240b0166fda773760968b

SHA512
18939a52132d9cd29b072e20c7ec99d33c28bb1b75eb22f6948c8816c4c0b6371d66a1cd05ebfa7ae4a614720392b83157e869616baa4cc81c29c02ca038e44c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
295.9MB

MD5
879c1ce6a07dacc0e6c5a4e1ff241a46

SHA1
b570b4f4de7ab3b41a11602cd8906e6cbf6cabbb

SHA256
22633e849d6d1ebf5e5a930fb1f09c27d80ed29a27d22fe007694708171e16de

SHA512
93e95ba3105afe1a0e084a3fa69fca4cadce53831a8e55a01a7d71eba21d150e0291e0b17a053a5bb9ee08f42c4fe7c3b07d7591430cc3a79e3427b58e5ae8ad

Download Submit
memory/304-76-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/304-83-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/304-84-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/304-69-0x0000000002480000-0x000000000262A000-memory.dmp

Filesize
1.7MB

Download
memory/304-70-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/304-73-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/304-78-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/304-77-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/304-82-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/304-79-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/304-81-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1400-55-0x0000000002420000-0x00000000027F0000-memory.dmp

Filesize
3.8MB

Download
memory/1400-64-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1400-54-0x0000000002270000-0x000000000241A000-memory.dmp

Filesize
1.7MB

Download