laplas | 842bda8d8955a11f5f2396ece8ca9440442b8b4ee9cc146ab5cacd1d209c0493

General

Target

Nouveatexte.bat
Size

3KB
Sample

230611-btff3sgc32
MD5

a8e8d0ac12d7ac9d30184a2fea1c952f
SHA1

4f5ec14b31eceeab8c033925160925fabd68dd53
SHA256

842bda8d8955a11f5f2396ece8ca9440442b8b4ee9cc146ab5cacd1d209c0493
SHA512

b6787f5e5b58eda38da6175a1453901c720fca17a315f3363ea6eb93bb0f4071e3af45e53ef4b4bb4792576fbfb80bde54f1f5f2bf8908ed9e2d50162fb701c6

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

4.2

Botnet

076239fffceeb88ff5fe3c82df6cb13b

C2

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
076239fffceeb88ff5fe3c82df6cb13b
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Extracted

Family

laplas

C2

http://185.209.161.89

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Targets

- Target
  
  Nouveatexte.bat
- Size
  
  3KB
- MD5
  
  a8e8d0ac12d7ac9d30184a2fea1c952f
- SHA1
  
  4f5ec14b31eceeab8c033925160925fabd68dd53
- SHA256
  
  842bda8d8955a11f5f2396ece8ca9440442b8b4ee9cc146ab5cacd1d209c0493
- SHA512
  
  b6787f5e5b58eda38da6175a1453901c720fca17a315f3363ea6eb93bb0f4071e3af45e53ef4b4bb4792576fbfb80bde54f1f5f2bf8908ed9e2d50162fb701c6
Score

10^/10

laplas vidar 076239fffceeb88ff5fe3c82df6cb13b clipper discovery evasion persistence spyware stealer trojan
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Contacts a large (38083) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1