laplas | 8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554

General

Target

tmp.exe
Size

3.4MB
MD5

50859caa45e9d02823ae55b69fd7b645
SHA1

aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA256

8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA512

78df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
SSDEEP

98304:nImo45lwBzz4/B00uUYiGjHMnhNRUQrqXjWJd:nFnG/4/cz4n7RbryS

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
668	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1368	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	tmp.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1368	tmp.exe
668	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 668	1368	tmp.exe	27
PID 1368 wrote to memory of 668	1368	tmp.exe	27
PID 1368 wrote to memory of 668	1368	tmp.exe	27

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
718.4MB

MD5
34d11b52352539c8f743eb8f645b00f7

SHA1
d7b66f87c51d1b54ce6f628887a5848fd7f7a4aa

SHA256
d4b0619247c5789081d949a706565cfa461c5b719285572ac7a21263d6a5e9a2

SHA512
b931ba92a06a1287930027f3aeb29de09ea0d7079a72f299dd89f41b3aecd2b87bd2b678eb02f6235256fa6d59506f7bf0fb77bc3fe4cad5b90f4d76ca6954da

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
718.4MB

MD5
34d11b52352539c8f743eb8f645b00f7

SHA1
d7b66f87c51d1b54ce6f628887a5848fd7f7a4aa

SHA256
d4b0619247c5789081d949a706565cfa461c5b719285572ac7a21263d6a5e9a2

SHA512
b931ba92a06a1287930027f3aeb29de09ea0d7079a72f299dd89f41b3aecd2b87bd2b678eb02f6235256fa6d59506f7bf0fb77bc3fe4cad5b90f4d76ca6954da

Download Submit
memory/668-71-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-83-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-73-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-89-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-74-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-88-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-87-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-86-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-68-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-67-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-69-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-75-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-85-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-72-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-84-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-82-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-70-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-76-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-77-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-78-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/668-81-0x0000000000CC0000-0x00000000014B8000-memory.dmp

Filesize
8.0MB

Download
memory/1368-61-0x0000000000FD0000-0x00000000017C8000-memory.dmp

Filesize
8.0MB

Download
memory/1368-58-0x0000000000FD0000-0x00000000017C8000-memory.dmp

Filesize
8.0MB

Download
memory/1368-59-0x0000000000FD0000-0x00000000017C8000-memory.dmp

Filesize
8.0MB

Download
memory/1368-54-0x0000000000FD0000-0x00000000017C8000-memory.dmp

Filesize
8.0MB

Download
memory/1368-66-0x0000000000FD0000-0x00000000017C8000-memory.dmp

Filesize
8.0MB

Download
memory/1368-55-0x0000000000FD0000-0x00000000017C8000-memory.dmp

Filesize
8.0MB

Download
memory/1368-57-0x0000000000FD0000-0x00000000017C8000-memory.dmp

Filesize
8.0MB

Download
memory/1368-60-0x0000000000FD0000-0x00000000017C8000-memory.dmp

Filesize
8.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads