laplas | 83a7f9488aa65bdf7d74aac8ce9ce3468725a40a26bc2c560758473403f99616

General

Target

a00e64fb477f056d15dcbceb861f8439.bin.exe
Size

1.8MB
MD5

a00e64fb477f056d15dcbceb861f8439
SHA1

cc43e797973ac8dccec3f28c7090942804f5a271
SHA256

83a7f9488aa65bdf7d74aac8ce9ce3468725a40a26bc2c560758473403f99616
SHA512

588f594c915df09aaad467a31648852f5279afef0706243560266dc3adc591d18860f052bb557a3da62c6b425dde68d45162f161da75b30ba6fdfcabc7d0c2fb
SSDEEP

49152:aTDjb1Kvdt+v7Bg98vR7NWvT+V6G/XW/yjhw4:aTPbsFtJ857NWL+8G/8yFh

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
852	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1456	a00e64fb477f056d15dcbceb861f8439.bin.exe
1456	a00e64fb477f056d15dcbceb861f8439.bin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	a00e64fb477f056d15dcbceb861f8439.bin.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 852	1456	a00e64fb477f056d15dcbceb861f8439.bin.exe	28
PID 1456 wrote to memory of 852	1456	a00e64fb477f056d15dcbceb861f8439.bin.exe	28
PID 1456 wrote to memory of 852	1456	a00e64fb477f056d15dcbceb861f8439.bin.exe	28
PID 1456 wrote to memory of 852	1456	a00e64fb477f056d15dcbceb861f8439.bin.exe	28

C:\Users\Admin\AppData\Local\Temp\a00e64fb477f056d15dcbceb861f8439.bin.exe
"C:\Users\Admin\AppData\Local\Temp\a00e64fb477f056d15dcbceb861f8439.bin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
504.3MB

MD5
96cc79fc831df3239a8a5ffb6bbf732f

SHA1
4a7485b3b06254214e1f115483811b08ddbb3c82

SHA256
208e37473b916d649d2cfe8a7c5542cd364ebdbbc2ab5d03b63ac235bbc19174

SHA512
53b3afb6fb5ebd3b5bc8bb356ab4e0589cf8aa070a5adb125dc503182b222b34fe3c4fa447f58e4cc2deaebccabdd396bfe79e58a27d3a3400155bb52ea171f1

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
522.6MB

MD5
826f9c2ad2c0a45f680e37d54eea28db

SHA1
36595476044bd0fdc2d848eb3f4fdba400cf1ce3

SHA256
41ae097bfdbfe423a1aeda5cd772543c00acc19987522f08d3f80197349df1a0

SHA512
79f74d7599623a1566c0efb2b105ea66b2de3bb79f72e2d34b02367198c3d655a7c2c60f6455825ea0ccfed2126cedf9e2f9467c8c1022cafb8acd1d970dfcd5

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
297.4MB

MD5
da7163509767266be50df91a147af019

SHA1
4a53b3bc313ce1bd04d8904ef30bc241f0e7f61a

SHA256
65be798b5d82aa7306f98f7e6839a04dc053025f8c6d91e77b5e55449fbccfb3

SHA512
07e20159fc272070b4baec453c57ec4a171232a02ecb42ab551c5ae6ebbccb83c3889df867711bece8dcd0b2361bfecf7c7635d353f7d26ebd8f353c213a035e

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
526.8MB

MD5
5fe12c267b690cd217be5c0ff1d200dc

SHA1
6da36d1254c4f2741cd15c2b2555b8e8d4e915b0

SHA256
26a66bc918b3956d128d8500d99e84d8040ccced778409249f12be1a408916a5

SHA512
6c80d9a3d8966b35b648830f4065e425b8fc72f16ae6754ebe756c0b6aae8a68a3f7c3610be5c6359803ffe5ff533bff4973d89552a09759388062d5ebd45101

Download Submit
memory/852-68-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-73-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-80-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-65-0x00000000022E0000-0x000000000248A000-memory.dmp

Filesize
1.7MB

Download
memory/852-66-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-67-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-79-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-71-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-72-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-78-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-74-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-75-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-76-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/852-77-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1456-63-0x0000000000400000-0x0000000000810000-memory.dmp

Filesize
4.1MB

Download
memory/1456-54-0x0000000002120000-0x00000000022CA000-memory.dmp

Filesize
1.7MB

Download
memory/1456-55-0x00000000022D0000-0x00000000026A0000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads