laplas | dccb7a134aae7970fc13ab3db3737b62b733ba33627945a1d5cdf61870ff4842

General

Target

setup.exe
Size

1.9MB
MD5

c744e2d74b828c767877c52e125087af
SHA1

444809a0b355b365fadc03e50ac577b1b1fa50eb
SHA256

dccb7a134aae7970fc13ab3db3737b62b733ba33627945a1d5cdf61870ff4842
SHA512

084e0f42ecb98a1915db1128a704a1650b07e7acffc4852cadc9684dfd643619e1668ab7ef83321483a2eaeadcd83e58379cd4db3e11a4085d74ee42bb095fff
SSDEEP

49152:xKcn0Cjj3zONh6qrCf2TXEUPsNq3WVAThDWZaXQZh8:ocdDZqCIbPzWVyhDWZaXQZh

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
988	ntlhost.exe

Loads dropped DLL 5 IoCs

pid	Process
1668	setup.exe
1668	setup.exe
988	ntlhost.exe
988	ntlhost.exe
988	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 988	1668	setup.exe	28
PID 1668 wrote to memory of 988	1668	setup.exe	28
PID 1668 wrote to memory of 988	1668	setup.exe	28
PID 1668 wrote to memory of 988	1668	setup.exe	28
PID 1668 wrote to memory of 988	1668	setup.exe	28
PID 1668 wrote to memory of 988	1668	setup.exe	28
PID 1668 wrote to memory of 988	1668	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:988

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
255.1MB

MD5
6a3e1d2dc50415f781dc1c61902a5f9e

SHA1
4f0a5ca756a8c1a6fd7cea73dbdd5097fe8f5e3f

SHA256
356bb4b19fc293fd7b50342d381606c5f931052e5ee8b46fd061a3fe1932bad3

SHA512
2fef5cdc0ebd3c706dd48ad25dfb08d20c66c3faf3be97a807f8115091763e83efabd24f0aaa66a798f9aaf0a94f6df8e0a49b150d7980a9ed9b7e1c8b1292ca

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
262.9MB

MD5
6b5203b38509be477e499a48408b5ecc

SHA1
7a509fb3d73df6c51d2cb70384df7c4154008acf

SHA256
736c679408a8a145580fce277efa7d6ad9cd259509ddb1c796b5a1134833aca0

SHA512
2a10f8100c994c9af64b429bf9f608ff51ad051fe83e2f619c79dc57460c1fb874be4778975301fa114d00cc3ecd3fc81c24393e86c234565c6c23839b803c8d

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
248.1MB

MD5
26a1412dafc5327cf26d1e2ea2633746

SHA1
b07cdc0afd96da30d314bb624eb46355ac1626e8

SHA256
7130368a2dba1759fa6ec0fa55b3382be5b61fbb3c5d93c4bb829a66eff7c2aa

SHA512
8f7b9b2835fea56817b780e1e5d64b4122045e6cc08fe5d0b296226f7c7c81819f0bf050086c12212ad57dbf7e9f000962c2661ec377acce654bf0271d0ab1bc

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
139.3MB

MD5
9ad9a59f8e5ca94d3972d28fc298feff

SHA1
0703457bb4c9b9df1480f708a4bf6d3c1e946561

SHA256
fafb59e5fb12cb751c268576f1e18fd25dd10e2c439d98978e36b9708733e6ff

SHA512
a1fed810c20a7e596773fb5d7be0aa19a735c3683d9bf29e472712906b5320c7e1fa2a5d99fcfe6029306a2b9aca1957432987328a7a8cc5490d4189542c47d4

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
264.3MB

MD5
e30a7a9bd78ddab45b8e3eac12f3baad

SHA1
dcf0a6812d6df3dced0b899bf786b11889b4ec01

SHA256
c348579b32c3e9068996143977e93e8d14402abf5712d448fd9328fab5ee9988

SHA512
7402bb1d6156fdfd6c39941bccb1db71efb9c5085e151e287b27eb335274bf6a6705552b5bab2c3a5c35c8a5d5b697e9c9e3a1604a9d457bf801371fd81cdd60

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
263.6MB

MD5
d198878b771069dfcae6afcd5da0d809

SHA1
9dc6cbd0596700986ba2d207c4face167f291922

SHA256
ff28c30b94a54171d53f38a69c45915295e0a317e2ba45535353be62cf0dbbf1

SHA512
27c58af255f1f89f9230956d20704b725fa79baa71cad11f0305a80c2a204a97826af10383b080d2f32673789bfaac14f2e62746ca7c64996e6cfd1b4f9d7d06

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
264.4MB

MD5
cce0798f53fb079ec884be16fec2064b

SHA1
0bb06b359f6640236e1dd74dd4a938929cc37e4c

SHA256
3bed61fb744e7cba68d40605d4213f25160aaa6331e3dc00410239a9fe2daa26

SHA512
e41ccf8fa0103301c38e3031296a54661d25073132887c629600c4d4aaaace8010ba21991647b753a93b131b28a6ed4c9152b12490d110d8b9ca589b036c0409

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
248.8MB

MD5
a28a1ab3a1c021a04b672b9483aa1e18

SHA1
8e10236deb02a8b7da80905f3dc24a3964d3f9b0

SHA256
f5a6ca836afe72f382afd566abd24758a030659ed7b6c232e18dcf2fae26cfbe

SHA512
0d61c2f5e6032263b8594b649c2c25de900c23c8bb01a1dc9a87a8883b65d2fa666c14b56a147664932fefbdadf4f4f820abc29057bbe9f9e19c2b3c0291ff3b

Download Submit
memory/988-80-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-76-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-84-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-69-0x0000000002330000-0x00000000024DA000-memory.dmp

Filesize
1.7MB

Download
memory/988-70-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-72-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-75-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-83-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-77-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-78-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-82-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/988-81-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1668-54-0x0000000002500000-0x00000000026AA000-memory.dmp

Filesize
1.7MB

Download
memory/1668-65-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1668-55-0x00000000026B0000-0x0000000002A80000-memory.dmp

Filesize
3.8MB

Download

Resubmissions

Analysis

Sharing