laplas | 83a7f9488aa65bdf7d74aac8ce9ce3468725a40a26bc2c560758473403f99616

General

Target

a00e64fb477f056d15dcbceb861f8439.exe
Size

1.8MB
MD5

a00e64fb477f056d15dcbceb861f8439
SHA1

cc43e797973ac8dccec3f28c7090942804f5a271
SHA256

83a7f9488aa65bdf7d74aac8ce9ce3468725a40a26bc2c560758473403f99616
SHA512

588f594c915df09aaad467a31648852f5279afef0706243560266dc3adc591d18860f052bb557a3da62c6b425dde68d45162f161da75b30ba6fdfcabc7d0c2fb
SSDEEP

49152:aTDjb1Kvdt+v7Bg98vR7NWvT+V6G/XW/yjhw4:aTPbsFtJ857NWL+8G/8yFh

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1976	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	a00e64fb477f056d15dcbceb861f8439.exe
1736	a00e64fb477f056d15dcbceb861f8439.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	a00e64fb477f056d15dcbceb861f8439.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1976	1736	a00e64fb477f056d15dcbceb861f8439.exe	27
PID 1736 wrote to memory of 1976	1736	a00e64fb477f056d15dcbceb861f8439.exe	27
PID 1736 wrote to memory of 1976	1736	a00e64fb477f056d15dcbceb861f8439.exe	27
PID 1736 wrote to memory of 1976	1736	a00e64fb477f056d15dcbceb861f8439.exe	27

C:\Users\Admin\AppData\Local\Temp\a00e64fb477f056d15dcbceb861f8439.exe
"C:\Users\Admin\AppData\Local\Temp\a00e64fb477f056d15dcbceb861f8439.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
550.7MB

MD5
ab5537d3f7004ede7fd9feda6df3f1cb

SHA1
f046c0468334e2cfd0a8895918076771f802670f

SHA256
9cbae434a61ed5e4a147bcf082d2429ba585c84a943824b5cc9b1796c6b497de

SHA512
99a984a83446f0aa7fe59835a83f6ce135efca54b810dbb58e74494e242851d6a27fe2a50596733a0cb3df7eaae43fd6c10a91b191fbf1110e085692dd34fb4c

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
596.9MB

MD5
0f8e37c1ba4f92a4c32a30b6d8d17564

SHA1
8346a2e7021e7594d59ce6841eb1c8bf5c8130f5

SHA256
9ee6972f24254cdb73b65be89fc660670b07135376481f77d77a34f7f6476780

SHA512
c0dad3ce8380af1103d61c085d33d0bf49563f0ae861735d73174ef1daa5fbd3fe35be27876913d75676b7a79af5b84aa95ed82bf1f779121c6765b3a4ec544c

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
413.2MB

MD5
f524b4d02205dcafa3712d6d58664fd0

SHA1
0e4e4ddd84ea1d636a2c34f159d571ebb5820a35

SHA256
3deedecea201c25aa9593689342212a95f62144c1607e44ad36c2419c2afe48d

SHA512
2dd573facf8cb6a769ba3b59de3d3f830c9477c98c9767ee7c308a056904ab3dd5cb1cde0b52c1c312507f742d6b5013cffeed9696a16ba52a4a1f35a84d0029

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
523.9MB

MD5
776df12b4c490a52ac3da40814b15613

SHA1
029406a9750a31741d05e7ad8e3f4ddcec50d09c

SHA256
65e0341927bc07f8897ad39142447277b9168b582eee96b8149da3968a5042b3

SHA512
4ec56efd04f4051789df7c77844724fbd423f4ed6963462adb5e2cb278f5668dee357576faf7c29ee162d67bd9ef1f9c8e23a1e93dbb884c25aa22c1283872e5

Download Submit
memory/1736-64-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1736-55-0x00000000024D0000-0x00000000028A0000-memory.dmp

Filesize
3.8MB

Download
memory/1736-54-0x0000000002320000-0x00000000024CA000-memory.dmp

Filesize
1.7MB

Download
memory/1976-68-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-74-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-67-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-65-0x0000000001FC0000-0x000000000216A000-memory.dmp

Filesize
1.7MB

Download
memory/1976-69-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-72-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-73-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-66-0x0000000002170000-0x0000000002540000-memory.dmp

Filesize
3.8MB

Download
memory/1976-75-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-76-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-77-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-78-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-79-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-80-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1976-81-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads