laplas | d0e05d14d752a572c57ccc42b3d79c8ea55c93062c2a3b73bf2e128f77678396

Resubmissions

01-02-2024 21:27

240201-1at8kaggbk 7

01-02-2024 21:16

240201-z4xecaece3 7

01-02-2024 21:11

240201-z1185ageem 7

11-04-2023 18:10

230411-wr28aafg6y 10

Sharing

Copy URL

Twitter E-mail

General

Target

McFree.exe
Size

3.9MB
Sample

230411-wr28aafg6y
MD5

fbb8b46f249d59713c89ce8f4d802a2b
SHA1

5aaaeb71083e189b07bcc30134689e326b42806d
SHA256

d0e05d14d752a572c57ccc42b3d79c8ea55c93062c2a3b73bf2e128f77678396
SHA512

d81b7aa5eea4bb46aaa2aec5cb5b39304ec864cc9be3ebf48bdce80c9b43d24dc61d11b290ae23330292f2babef329d2f892d9cb2f755b55b0619fb5fc293392
SSDEEP

98304:7ws/7iR7W3TBrHJWGs2NyqeoNE/7SRYY8CU:7wY0W3TVHJack+KCU

Score

10^/10

Malware Config

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

- Target
  
  McFree.exe
- Size
  
  3.9MB
- MD5
  
  fbb8b46f249d59713c89ce8f4d802a2b
- SHA1
  
  5aaaeb71083e189b07bcc30134689e326b42806d
- SHA256
  
  d0e05d14d752a572c57ccc42b3d79c8ea55c93062c2a3b73bf2e128f77678396
- SHA512
  
  d81b7aa5eea4bb46aaa2aec5cb5b39304ec864cc9be3ebf48bdce80c9b43d24dc61d11b290ae23330292f2babef329d2f892d9cb2f755b55b0619fb5fc293392
- SSDEEP
  
  98304:7ws/7iR7W3TBrHJWGs2NyqeoNE/7SRYY8CU:7wY0W3TVHJack+KCU
Score

10^/10

laplas vidar clipper discovery persistence spyware stealer upx
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Laplas Clipper

Vidar

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2