laplas | ef459820a29f16850147c08c143b76a58990c1813edaaf5bfad20aa05e65a4d8

Analysis

max time kernel
118s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2023 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vfdc.exe
Size

726.7MB
MD5

bbd00ec4e0a57e9c3bc8b57c6d22e4ac
SHA1

c0463ce8ef9dcf563e4321ffcdf86ca4ee2a8b97
SHA256

ef459820a29f16850147c08c143b76a58990c1813edaaf5bfad20aa05e65a4d8
SHA512

178017fb9fd541aba2d342829c0f81411d334b826eb0a003a4654734bfb58364b6e130f749454d32b61e2a55a8e552a9986fece6b1db34ed18396c27c84c9419
SSDEEP

196608:iZ+oLduGqM8p7XZoYAc7EMFxDx3AztxcMl6h5K2yEfZ:a+oLduGh8p7XZlFxDUvcMl6h5JyEx

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://212.113.106.172

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	vfdc.exe

Executes dropped EXE 1 IoCs

pid	Process
4412	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	vfdc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4756	vfdc.exe
4756	vfdc.exe
4756	vfdc.exe
4756	vfdc.exe
4412	svcservice.exe
4412	svcservice.exe
4412	svcservice.exe
4412	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 4412	4756	vfdc.exe	90
PID 4756 wrote to memory of 4412	4756	vfdc.exe	90
PID 4756 wrote to memory of 4412	4756	vfdc.exe	90

C:\Users\Admin\AppData\Local\Temp\vfdc.exe
"C:\Users\Admin\AppData\Local\Temp\vfdc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
730.6MB

MD5
c80a8381aa27d86c8943a865824332dd

SHA1
5a90a389a60230562ec469aa09da312c2669e9d1

SHA256
df396e3e2aa3b3d8d2a4ff02c292e05eb732ce7e1748dd810f9de67d0e4e610d

SHA512
14cd7c67d2df3ebf269ca0104c66bd2a24e57c207ce74379e8880d56a524467bab89b70779ed2ee10f8e9d23ca548a4d7067e42e4a419dfc385db592c42c5073

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
705.3MB

MD5
2531db31a2d5f8adf2307fc7cf903b0d

SHA1
8c8e66e23970391b0d505def2a1bf0faa6f0fc97

SHA256
0416618ac95fc8de5a6f7d7bfe0b67ec38735102ab63a7bdfe289f083b77891c

SHA512
18d9f268889bd0ea41ebbe2caf7ab3c108cf75584532edce6de77d19dab3b201972101fefcc8f3114cac721e6a3570575f68cc58c9f64d2039b485f42a044801

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
732.0MB

MD5
cf80be3ae8b89be423633cc71ce2368d

SHA1
3523264f4c349d0745f49e7509aea46daa2e0750

SHA256
c399a339a98a1802291f886727a952aa46fdc6a93fa2f63efbe3df332880cee9

SHA512
61609f9aed0dd5866480fa40ebd8394cf10fa2dc7e969b2e6f7f22f6c0e1665f524b484a93317666ff6f7e3cc2a05613b1570900492881228cb932b0327d0946

Download Submit
memory/4412-155-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/4412-154-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/4412-161-0x0000000001000000-0x0000000001AA1000-memory.dmp

Filesize
10.6MB

Download
memory/4412-160-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download
memory/4412-159-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/4412-158-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/4412-157-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/4412-156-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/4756-140-0x0000000000560000-0x0000000001001000-memory.dmp

Filesize
10.6MB

Download
memory/4756-133-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/4756-134-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/4756-135-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/4756-136-0x00000000016A0000-0x00000000016A1000-memory.dmp

Filesize
4KB

Download
memory/4756-137-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4756-139-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/4756-138-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download