laplas | 7532b02e6159a99599dafed8f44f51f9a4e4a10ce4784311ffdd682053e29c12

General

Target

Setup.exe
Size

11.0MB
Sample

230404-sxga8aab3y
MD5

c0c44044d48102ffe57e0adc86b68a7e
SHA1

8d423d0ba235843be9671f08bfc6df032607f6c4
SHA256

7532b02e6159a99599dafed8f44f51f9a4e4a10ce4784311ffdd682053e29c12
SHA512

977a342eb1b5bc8a6d6f65e54bdf42f666cccc3467d04374e7493202c6160cb82df815c68642c0166ae82b69aac46cb94d75efa1e337e9ada727584c3ae9837e
SSDEEP

196608:4+hMmu0Vro/dFqg4cF3VjgY7lEGpDltGgC891SWAo0Gm:41m3OMEljl7lPftGgPuDrt

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

3.3

Botnet

49bd1304650cc9c7f3f131428d9e16c2

C2

https://steamcommunity.com/profiles/76561199492257783

https://t.me/justsometg

Attributes

profile_id_v2
49bd1304650cc9c7f3f131428d9e16c2
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Targets

- Target
  
  Setup.exe
- Size
  
  11.0MB
- MD5
  
  c0c44044d48102ffe57e0adc86b68a7e
- SHA1
  
  8d423d0ba235843be9671f08bfc6df032607f6c4
- SHA256
  
  7532b02e6159a99599dafed8f44f51f9a4e4a10ce4784311ffdd682053e29c12
- SHA512
  
  977a342eb1b5bc8a6d6f65e54bdf42f666cccc3467d04374e7493202c6160cb82df815c68642c0166ae82b69aac46cb94d75efa1e337e9ada727584c3ae9837e
- SSDEEP
  
  196608:4+hMmu0Vro/dFqg4cF3VjgY7lEGpDltGgC891SWAo0Gm:41m3OMEljl7lPftGgPuDrt
Score

10^/10

bootkit evasion persistence trojan laplas vidar xmrig 49bd1304650cc9c7f3f131428d9e16c2 clipper discovery miner spyware stealer
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2