laplas | 8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0

General

Target

8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe
Size

726.4MB
MD5

8e550f6a030e464657cad196e93b54ef
SHA1

2ccc4dbb3efe605dd3d68cacbd98ecbb91c42284
SHA256

8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0
SHA512

e59aae5ac79c667bbdf52dc26108610c6e871da231122c36117c94b103a60bd20ed59b30ae4dae520c777574f76a1e6199fe2606d7cdb888a7f9da20b66d7ba9
SSDEEP

98304:ponC5g4H7xXJqStkoRYXGRdKocRaG/n85B7Gv9n+J4P6F9RuBhSMf5rXEAxbxtq2:pz5z1JNSo2XlzuB7M9nRYuXzf+ABZb

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://85.192.40.252

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4996	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3676	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe
3676	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe
4996	svcservice.exe
4996	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3676	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe
3676	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe
3676	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe
3676	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe
4996	svcservice.exe
4996	svcservice.exe
4996	svcservice.exe
4996	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 4996	3676	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe	66
PID 3676 wrote to memory of 4996	3676	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe	66
PID 3676 wrote to memory of 4996	3676	8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe	66

C:\Users\Admin\AppData\Local\Temp\8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe
"C:\Users\Admin\AppData\Local\Temp\8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PBDMEPO\online[2].txt

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6FGHNCOX\regex[2].txt

Filesize
633B

MD5
c5298d2c78be8fdfc264eb6fe3e275f8

SHA1
f09de5f443da081efaff0155f422ca0375edd164

SHA256
de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

SHA512
5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
1507.4MB

MD5
6beefc87ec7f6792948cb01408487cf2

SHA1
53061239cc7d78927f4994ce8b566ac64007e57f

SHA256
a6097fde7d5d5ccc942b423037e80712ef619311d26e1018d5bb9cd52b50999b

SHA512
08708bf50122032590b858b64f312cc54ac90f5fae1fa97c2d73d09539d9203f5c2033422ea194d9552aad91416e15be65b87cdb1ee53fab4a2e3262701acada

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
1507.4MB

MD5
6beefc87ec7f6792948cb01408487cf2

SHA1
53061239cc7d78927f4994ce8b566ac64007e57f

SHA256
a6097fde7d5d5ccc942b423037e80712ef619311d26e1018d5bb9cd52b50999b

SHA512
08708bf50122032590b858b64f312cc54ac90f5fae1fa97c2d73d09539d9203f5c2033422ea194d9552aad91416e15be65b87cdb1ee53fab4a2e3262701acada

Download Submit
memory/3676-121-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/3676-118-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3676-122-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/3676-123-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/3676-124-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/3676-120-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/3676-119-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3676-116-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3676-117-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4996-134-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/4996-137-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4996-138-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4996-139-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/4996-140-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/4996-136-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4996-135-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing