laplas | e1c98a0ade9b2f076c17c90bf42bafe1814fdbce24eb85cc401a72c1e1cfa601 | Triage

Sharing

General

Target

PC-Set-UP_SOFT.exe
Size

9.7MB
Sample

230329-dba5raee36
MD5

bf7a18436887c2ba24ae483096365f35
SHA1

01ff678f52d94a278ee5e14164eb7b9599675ed6
SHA256

e1c98a0ade9b2f076c17c90bf42bafe1814fdbce24eb85cc401a72c1e1cfa601
SHA512

d498f9bcdaf8389535f7ef16cfb73acc4d12b0f37b1afae49d5d8f731d147d19808d59fe010fe7195479987cd4a13461a5180aacc77364bff5da9e5f01dcc128
SSDEEP

196608:RljSlVLHRCRaAKd6MYhMMy6oqX4w7rDdYuXCM4+e:PGvXZdyK4ny4CM4R

Score

10^/10

laplas raccoon f49765d62e02586d0fe162b5d3a934ad clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

f49765d62e02586d0fe162b5d3a934ad

C2

http://5.75.159.229/

http://212.113.119.153/

http://78.153.130.123/

http://212.113.119.35/

rc4.plain

Extracted

Family

laplas

C2

http://212.113.106.172

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Targets

- Target
  
  PC-Set-UP_SOFT.exe
- Size
  
  9.7MB
- MD5
  
  bf7a18436887c2ba24ae483096365f35
- SHA1
  
  01ff678f52d94a278ee5e14164eb7b9599675ed6
- SHA256
  
  e1c98a0ade9b2f076c17c90bf42bafe1814fdbce24eb85cc401a72c1e1cfa601
- SHA512
  
  d498f9bcdaf8389535f7ef16cfb73acc4d12b0f37b1afae49d5d8f731d147d19808d59fe010fe7195479987cd4a13461a5180aacc77364bff5da9e5f01dcc128
- SSDEEP
  
  196608:RljSlVLHRCRaAKd6MYhMMy6oqX4w7rDdYuXCM4+e:PGvXZdyK4ny4CM4R
Score

10^/10

raccoon f49765d62e02586d0fe162b5d3a934ad discovery spyware stealer laplas clipper persistence
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

raccoonf49765d62e02586d0fe162b5d3a934addiscoveryspywarestealer

behavioral2

laplasraccoonf49765d62e02586d0fe162b5d3a934adclipperdiscoverypersistencespywarestealer