laplas | 8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0

General

Target

vdcs.exe
Size

726.4MB
MD5

8e550f6a030e464657cad196e93b54ef
SHA1

2ccc4dbb3efe605dd3d68cacbd98ecbb91c42284
SHA256

8a4556d74daa2806d18dc91baacd78214e0aec0403daf9cbfdf75b18894a1eb0
SHA512

e59aae5ac79c667bbdf52dc26108610c6e871da231122c36117c94b103a60bd20ed59b30ae4dae520c777574f76a1e6199fe2606d7cdb888a7f9da20b66d7ba9
SSDEEP

98304:ponC5g4H7xXJqStkoRYXGRdKocRaG/n85B7Gv9n+J4P6F9RuBhSMf5rXEAxbxtq2:pz5z1JNSo2XlzuB7M9nRYuXzf+ABZb

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://85.192.40.252

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	vdcs.exe

Executes dropped EXE 1 IoCs

pid	Process
3620	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	vdcs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3900	vdcs.exe
3900	vdcs.exe
3620	svcservice.exe
3620	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3900	vdcs.exe
3900	vdcs.exe
3900	vdcs.exe
3900	vdcs.exe
3620	svcservice.exe
3620	svcservice.exe
3620	svcservice.exe
3620	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 3620	3900	vdcs.exe	90
PID 3900 wrote to memory of 3620	3900	vdcs.exe	90
PID 3900 wrote to memory of 3620	3900	vdcs.exe	90

C:\Users\Admin\AppData\Local\Temp\vdcs.exe
"C:\Users\Admin\AppData\Local\Temp\vdcs.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
682.3MB

MD5
6eb73cfa6dbb32d7c88ce0f2e868af94

SHA1
8e7642a6216700844ba66b546ef66fa45241fb0a

SHA256
619bc9086588f40d938cdf9b25c7c4d198e544d64bcc613e250b8404bbad3d12

SHA512
7695060fc19e9fda3f11672e0132bb338ee517b53bd3da6db3052be23ec4941787d47240fd70884894e5810b9b44692d05d929856b821ab0486264a26c3cb05a

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
717.0MB

MD5
6cd025edeadcf29fe9018a1b6121945e

SHA1
583b31517b1824df22563fd33ff4b82bd866a732

SHA256
e3f9618ebbe159bcfcb1b7617938e39c5e63cb9d7fd9bd7a814f10773f77ae2d

SHA512
17b8658f248026cade2b0fd8a8e0fdd04f54de9d87b2bb39f147942306aec8dde9092bc015cd9e73141ff139a4d2239da8dab99e483a94ba5e300635fc0ad891

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
645.5MB

MD5
add4d2adc8b093265e8983421b1bff88

SHA1
d57cc84551863e15fde473368d8dbf2c1ed5b434

SHA256
ca912d96d7d4af5df8e1a25a222a71161d138617ceb7a093726626f3eb7881a2

SHA512
ad113e1033675a1c2fe835b1087c34a758865b5e4c903799ed35c0faa5f77dacb931d7083aba0c499b1eb6f2aff945e9ab28f6d8ebe267e3401da8823ed19ab4

Download Submit
memory/3620-158-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3620-160-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3620-163-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/3620-162-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/3620-161-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3620-159-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/3620-157-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/3620-156-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/3620-155-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3900-134-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3900-135-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/3900-136-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/3900-133-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3900-137-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/3900-141-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/3900-140-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/3900-139-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/3900-138-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing