laplas | 8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554

General

Target

01622099.exe
Size

3.4MB
MD5

50859caa45e9d02823ae55b69fd7b645
SHA1

aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA256

8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA512

78df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
SSDEEP

98304:nImo45lwBzz4/B00uUYiGjHMnhNRUQrqXjWJd:nFnG/4/cz4n7RbryS

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	01622099.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	01622099.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	01622099.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
632	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1552	01622099.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	01622099.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	01622099.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1552	01622099.exe
632	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 632	1552	01622099.exe	27
PID 1552 wrote to memory of 632	1552	01622099.exe	27
PID 1552 wrote to memory of 632	1552	01622099.exe	27

C:\Users\Admin\AppData\Local\Temp\01622099.exe
"C:\Users\Admin\AppData\Local\Temp\01622099.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
808.4MB

MD5
bff6ec4daa785e42caf6d07bd741463e

SHA1
490eed1930c7b17948ed0e2c073aea96fb5cd538

SHA256
29aa0de98b2e90ee61be78f0696222e0bca913d4f46a5f24821d39d818c04d67

SHA512
058377cc6f558c285609567030b45e64b35773d38f65a241d92754c0b90017f9bcc358ef4f12292c7d8ac44c1ec34b187a79758d71d4af1acec11e40711dd89a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
808.4MB

MD5
bff6ec4daa785e42caf6d07bd741463e

SHA1
490eed1930c7b17948ed0e2c073aea96fb5cd538

SHA256
29aa0de98b2e90ee61be78f0696222e0bca913d4f46a5f24821d39d818c04d67

SHA512
058377cc6f558c285609567030b45e64b35773d38f65a241d92754c0b90017f9bcc358ef4f12292c7d8ac44c1ec34b187a79758d71d4af1acec11e40711dd89a

Download Submit
memory/632-72-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-69-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-73-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-88-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-87-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-86-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-85-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-84-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-83-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-67-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-68-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-81-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-70-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-71-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-89-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-82-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-74-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-75-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-76-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-77-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/632-78-0x0000000000BB0000-0x00000000013A8000-memory.dmp

Filesize
8.0MB

Download
memory/1552-66-0x00000000009F0000-0x00000000011E8000-memory.dmp

Filesize
8.0MB

Download
memory/1552-58-0x00000000009F0000-0x00000000011E8000-memory.dmp

Filesize
8.0MB

Download
memory/1552-59-0x00000000009F0000-0x00000000011E8000-memory.dmp

Filesize
8.0MB

Download
memory/1552-55-0x00000000009F0000-0x00000000011E8000-memory.dmp

Filesize
8.0MB

Download
memory/1552-56-0x00000000009F0000-0x00000000011E8000-memory.dmp

Filesize
8.0MB

Download
memory/1552-60-0x00000000009F0000-0x00000000011E8000-memory.dmp

Filesize
8.0MB

Download
memory/1552-61-0x00000000009F0000-0x00000000011E8000-memory.dmp

Filesize
8.0MB

Download
memory/1552-57-0x00000000009F0000-0x00000000011E8000-memory.dmp

Filesize
8.0MB

Download
memory/1552-54-0x00000000009F0000-0x00000000011E8000-memory.dmp

Filesize
8.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads