laplas | 2289996f4a35a9b01273ba095e1df0802759f84fc4e3041c3a18591af9372c4f | Triage

Sharing

General

Target

fe2457d4da43adde492576a91398086e.bin
Size

2.7MB
Sample

230323-cgwszach69
MD5

b16f99ba4ab2ca385069272be7dc1713
SHA1

84d0ed143471c294a815304edf740163e67983c2
SHA256

2289996f4a35a9b01273ba095e1df0802759f84fc4e3041c3a18591af9372c4f
SHA512

276b3b6f784488568a37d660c4530d6550a5bdaa7fd8251d75fecd38840e1718ee19b8682545ec6d34b8920c9b83565f9965dc00fbbd9caa8a12cb63a0780044
SSDEEP

49152:zx4axTMWvYzO1MNUCziH5UItbG5o7VpriLks5C/ZaTohcS6jlooSUJA5dRhDQa7o:zaaxLeOONUCzOyM+o7DmLD4U3S0J6RhM

Score

10^/10

laplas redline fm clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

laplas

C2

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

redline

Botnet

FM

C2

91.193.43.63:81

Attributes

auth_value
686ed4f5bce1c0303019c1940beddd78

Targets

- Target
  
  82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe
- Size
  
  8.6MB
- MD5
  
  fe2457d4da43adde492576a91398086e
- SHA1
  
  8c7c1efd47044f1d31cee78ea6c73df1a9296dea
- SHA256
  
  82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
- SHA512
  
  b16fcdf02fe6e9f148d40cc04529840c98065bc2b69e144ff33e82c8285134b3e2c5e832c659132f8a99885e2b02589e2474f4d93b3bcef750ea1f2a64ffaf1a
- SSDEEP
  
  49152:pKnK6YN8UMtKNKogIHvueIxgfSZJxUu3INODRUgeCseICR7NWm8qpHakXvLQh0/o:on1YN8dKNcJxtISeCrXv0W/qpDRX5L
Score

10^/10

laplas redline fm clipper infostealer stealer persistence spyware
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

laplasredlinefmclipperinfostealerstealer

behavioral2

laplasredlinefmclipperinfostealerpersistencespywarestealer