laplas | e08ffdbd935971d2ad62d3ecdb736d34302a230485de662a7f6fab81f39df48b

General

Target

file.exe
Size

1.3MB
MD5

ceb62b6ac343ec808a818267e0ef4f6b
SHA1

d936107b1ebd5afe7c61db40c651c583b8b58487
SHA256

e08ffdbd935971d2ad62d3ecdb736d34302a230485de662a7f6fab81f39df48b
SHA512

88b4ed35a22a2dd19d3ee81f8dddfca9e2a871475ce965a5d0038612266d68fe2e50d9d53a89eba9d37f309c614eb218dfb25e75a20ac56ac54e753eca1c6a47
SSDEEP

24576:pYEtXdWl96ju5KGkcIGFI+kMixFDEHq55LOw:/Lg4sKG/IGFQXxZf55Lj

Score

10^/10

laplas stealc clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

stealc

C2

http://5.75.155.1/d522566a552de05d.php

Extracted

Family

laplas

C2

http://51.195.166.203

Attributes

api_key
b6fe9b83a8d3b268f74c16f34b6930cd2d2a47117a90beb53ffd773d00945a9e

Signatures

Detects Stealc stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/4344-217-0x0000000029350000-0x0000000029578000-memory.dmp	family_stealc

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	JECGIIIDAK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	file.exe

Executes dropped EXE 2 IoCs

pid	Process
1944	JECGIIIDAK.exe
2824	svcservice.exe

Loads dropped DLL 2 IoCs

pid	Process
4344	file.exe
4344	file.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	JECGIIIDAK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4344	file.exe
4344	file.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 1252	4344	file.exe	88
PID 4344 wrote to memory of 1252	4344	file.exe	88
PID 4344 wrote to memory of 1252	4344	file.exe	88
PID 1252 wrote to memory of 1944	1252	cmd.exe	90
PID 1252 wrote to memory of 1944	1252	cmd.exe	90
PID 1252 wrote to memory of 1944	1252	cmd.exe	90
PID 1944 wrote to memory of 2824	1944	JECGIIIDAK.exe	94
PID 1944 wrote to memory of 2824	1944	JECGIIIDAK.exe	94
PID 1944 wrote to memory of 2824	1944	JECGIIIDAK.exe	94

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe
    "C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      4⤵
      Executes dropped EXE
      PID:2824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe

Filesize
3.3MB

MD5
f00d6cb32f2c13da8b8f920c8ea33af7

SHA1
3c98141b93f6f44eceb0abef293bfd288f8d8db5

SHA256
bc04fd14960109a4ba9c93cc85f8772d7aa242700f44fd7c1e984fc3980807d1

SHA512
391b3a6b008dd26a56e2778578b8633e488876dbc048158eb6c2289fffde5554fba2a08fe67488083ddc6744d1135048c5a420b85c9f3cb8142dcb1ac9d0de3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe

Filesize
3.3MB

MD5
f00d6cb32f2c13da8b8f920c8ea33af7

SHA1
3c98141b93f6f44eceb0abef293bfd288f8d8db5

SHA256
bc04fd14960109a4ba9c93cc85f8772d7aa242700f44fd7c1e984fc3980807d1

SHA512
391b3a6b008dd26a56e2778578b8633e488876dbc048158eb6c2289fffde5554fba2a08fe67488083ddc6744d1135048c5a420b85c9f3cb8142dcb1ac9d0de3b

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
584.1MB

MD5
46b64ab23b46d4252cefd18985b30de0

SHA1
c80544897a8c42b17a95c8077c6857e4fe59b1f7

SHA256
8c7f09168b6ea2f4a51162f068cd4fd7a33414be5920d40c5a1f979dad6e16d1

SHA512
ddb35380957f7edbbd45b176caf55108b7cce136f9ce29c4e8644b82d0e92f4641d33a152dd5a1ad60251ab60ba1c9f50f939542fa62d4dd29d3ca83206ab18b

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
517.6MB

MD5
243a2d0bf25d8c137d3e5e380bf44b12

SHA1
9204fa8ddd33b478768d5d9df6dd36c13b85d518

SHA256
c65074369112218a471b6902a5f5760e0f9fce41d71fefb3f76ca6147c7311c0

SHA512
6874f664365ba10b719c0235b7d1633ad7143d96d083f13662497968de2ac5c89f35c3563c2425a08ff505079575b8ee2fad72417d65726fde12be664c71545d

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
630.6MB

MD5
7cb600834701cb9173cc83cf33336f19

SHA1
7846143f72c6316bd16ed61b18e90ea58e5bd2f3

SHA256
edfeb95421a2ed3c1c92ad64f8bdc8b5914ded2a7a2fd4fdeac7164c3b2e22fb

SHA512
4da92c66916cfa6d9caad06d29f86f4186c0532bdd6129c0e0261047f011f9958612e7bb795d504155e94173431d0e05270d7d8192228e071827927fa4810945

Download Submit
memory/1944-242-0x0000000029560000-0x00000000295A0000-memory.dmp

Filesize
256KB

Download
memory/1944-240-0x00000000295A0000-0x00000000295FA000-memory.dmp

Filesize
360KB

Download
memory/1944-221-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/1944-224-0x0000000029560000-0x00000000295A0000-memory.dmp

Filesize
256KB

Download
memory/1944-225-0x0000000029560000-0x00000000295A0000-memory.dmp

Filesize
256KB

Download
memory/1944-226-0x0000000029560000-0x00000000295A0000-memory.dmp

Filesize
256KB

Download
memory/1944-238-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2824-252-0x0000000029560000-0x00000000295A0000-memory.dmp

Filesize
256KB

Download
memory/2824-250-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2824-246-0x0000000029560000-0x00000000295A0000-memory.dmp

Filesize
256KB

Download
memory/2824-247-0x0000000029560000-0x00000000295A0000-memory.dmp

Filesize
256KB

Download
memory/2824-243-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4344-137-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4344-135-0x0000000029350000-0x0000000029578000-memory.dmp

Filesize
2.2MB

Download
memory/4344-134-0x0000000029350000-0x0000000029578000-memory.dmp

Filesize
2.2MB

Download
memory/4344-136-0x0000000029350000-0x0000000029578000-memory.dmp

Filesize
2.2MB

Download
memory/4344-214-0x0000000029580000-0x00000000299B3000-memory.dmp

Filesize
4.2MB

Download
memory/4344-213-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/4344-215-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/4344-217-0x0000000029350000-0x0000000029578000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads