laplas | hxxps://telegra[.]ph/Apex-Legends-05-10 | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

1

https://telegra.ph/A...

windows10-1703-x64

Sharing

General

Target

https://telegra.ph/Apex-Legends-05-10
Sample

230524-bt764aac46

Score

10^/10

laplas vidar 3a8269adbf2982cc1c6703fbf87bdce7 clipper evasion persistence spyware stealer trojan

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://telegra.ph/Apex-Legends-05-10

Resource

win10-20230220-en

laplas vidar 3a8269adbf2982cc1c6703fbf87bdce7 clipper evasion persistence spyware stealer trojan

windows10-1703-x64

27 signatures

600 seconds

Malware Config

Extracted

Family

vidar

Version

4

Botnet

3a8269adbf2982cc1c6703fbf87bdce7

C2

https://steamcommunity.com/profiles/76561199508624021

https://t.me/looking_glassbot

Attributes

profile_id_v2
3a8269adbf2982cc1c6703fbf87bdce7
user_agent
Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

Extracted

Family

laplas

C2

http://185.209.161.89

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Targets

- Target
  
  https://telegra.ph/Apex-Legends-05-10
Score

10^/10

laplas vidar 3a8269adbf2982cc1c6703fbf87bdce7 clipper evasion persistence spyware stealer trojan
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

urlscan1

behavioral1

laplasvidar3a8269adbf2982cc1c6703fbf87bdce7clipperevasionpersistencespywarestealertrojan

© 2018-2025

Terms | Privacy