laplas | 7de1d4823ee481df27c4ad35cbfee9f68616b05b3e12fa671a67f1f032988fc1

General

Target

01683299.exe
Size

4.1MB
MD5

4742e0688ce362617543f397bf5ed237
SHA1

4ccf29df9bae0f0ab761cc52f2186ec11a172352
SHA256

7de1d4823ee481df27c4ad35cbfee9f68616b05b3e12fa671a67f1f032988fc1
SHA512

f22451e29ea7dd0c35fb7e5149a4ca3c4be25d4fd648643bcc9b77240568e11219309cac443533c76e2b50ea0b5a8118cb6a12df07b3af9ad190ded8ab8db3cb
SSDEEP

98304:vNOGFwVfxGnThmA1txolQK+fBKV7mYbdC:vAGY8nThmlP+fYV7mYRC

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

C2

http://185.209.161.89

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	01683299.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	01683299.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	01683299.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
944	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1240	01683299.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	01683299.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	01683299.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1240	01683299.exe
944	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 944	1240	01683299.exe	27
PID 1240 wrote to memory of 944	1240	01683299.exe	27
PID 1240 wrote to memory of 944	1240	01683299.exe	27

C:\Users\Admin\AppData\Local\Temp\01683299.exe
"C:\Users\Admin\AppData\Local\Temp\01683299.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
846.1MB

MD5
5cce3927857768ca78569cec897e0bc3

SHA1
6626cbd5832f7c3c98d0494b20d82914043e8fa5

SHA256
9c2a2f3d1d7049e60ce62664babd816c12feb55b3c8e67b67ed4c0441321be29

SHA512
23b126a2f27b890ca37bee4ffe6739fbe4edc930cabee2b28ee88f40f80239be3b57bb3f03b73767b62b9ea634125da8e553eb21e18cd6200240ee42aa4d10cf

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
846.1MB

MD5
5cce3927857768ca78569cec897e0bc3

SHA1
6626cbd5832f7c3c98d0494b20d82914043e8fa5

SHA256
9c2a2f3d1d7049e60ce62664babd816c12feb55b3c8e67b67ed4c0441321be29

SHA512
23b126a2f27b890ca37bee4ffe6739fbe4edc930cabee2b28ee88f40f80239be3b57bb3f03b73767b62b9ea634125da8e553eb21e18cd6200240ee42aa4d10cf

Download Submit
memory/944-73-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-83-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-74-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-90-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-89-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-88-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-87-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-86-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-85-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-68-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-69-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-70-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-71-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-72-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-84-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-91-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-75-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-76-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-77-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-78-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-79-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/944-82-0x0000000000E00000-0x0000000001815000-memory.dmp

Filesize
10.1MB

Download
memory/1240-58-0x0000000001170000-0x0000000001B85000-memory.dmp

Filesize
10.1MB

Download
memory/1240-59-0x0000000001170000-0x0000000001B85000-memory.dmp

Filesize
10.1MB

Download
memory/1240-67-0x0000000001170000-0x0000000001B85000-memory.dmp

Filesize
10.1MB

Download
memory/1240-55-0x0000000001170000-0x0000000001B85000-memory.dmp

Filesize
10.1MB

Download
memory/1240-56-0x0000000001170000-0x0000000001B85000-memory.dmp

Filesize
10.1MB

Download
memory/1240-62-0x0000000001170000-0x0000000001B85000-memory.dmp

Filesize
10.1MB

Download
memory/1240-61-0x0000000001170000-0x0000000001B85000-memory.dmp

Filesize
10.1MB

Download
memory/1240-60-0x0000000001170000-0x0000000001B85000-memory.dmp

Filesize
10.1MB

Download
memory/1240-54-0x0000000001170000-0x0000000001B85000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads