laplas | 9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

General

Target

9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe
Size

1.8MB
MD5

0a935300ad790ad8d03666b1f14e73a4
SHA1

57bf66e15b0cbf325ce66d4c9d5592088a1a8e00
SHA256

9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12
SHA512

64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096
SSDEEP

49152:HRS3ddTQVvnRdoXwG1a/MrkK9daCBCimRL6E84TB:xSk4XwG1lr0PR8iB

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
3512	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3512	3192	9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe	66
PID 3192 wrote to memory of 3512	3192	9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe	66
PID 3192 wrote to memory of 3512	3192	9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe	66

C:\Users\Admin\AppData\Local\Temp\9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe
"C:\Users\Admin\AppData\Local\Temp\9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
757.8MB

MD5
b2233f1b326c09e0cb9ab1207e09ae55

SHA1
323ff8a47713b425b8a41ab0b34e0f8a5890dc4c

SHA256
a8f462ebc70f30ee079cef44ac297c9e06dc1e5a534c3385da77cc020dafdcf1

SHA512
0136cfea54c4023ca9a58fb1a8e32a0d8b8fd519a8e13bdd8ecdc999c94e5cfd11814a999ec2203f21b831eb990dda1d1ed5e2cad46b36d95e96cc2e8807a9a6

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
757.8MB

MD5
b2233f1b326c09e0cb9ab1207e09ae55

SHA1
323ff8a47713b425b8a41ab0b34e0f8a5890dc4c

SHA256
a8f462ebc70f30ee079cef44ac297c9e06dc1e5a534c3385da77cc020dafdcf1

SHA512
0136cfea54c4023ca9a58fb1a8e32a0d8b8fd519a8e13bdd8ecdc999c94e5cfd11814a999ec2203f21b831eb990dda1d1ed5e2cad46b36d95e96cc2e8807a9a6

Download Submit
memory/3192-119-0x00000000028F0000-0x0000000002CC0000-memory.dmp

Filesize
3.8MB

Download
memory/3192-121-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3192-124-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-139-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-143-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-129-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-130-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-131-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-132-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-134-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-135-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-136-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-137-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-138-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-127-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-140-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-141-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-142-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-128-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-144-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-145-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-146-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-147-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-148-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-149-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-150-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-151-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-152-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-153-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-154-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-155-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3512-156-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing