laplas | 2c5c3ba7eba30cc358b40d494fda79d9d2a6df152bdb7eb1aceb36f3fbcf60c3

Analysis

max time kernel
271s
max time network
287s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

denver.exe
Size

3.5MB
MD5

539a444f8dff3d9719e36fd9db31b799
SHA1

9b4a836511afdb230888a1e2c0698c839850d8c0
SHA256

2c5c3ba7eba30cc358b40d494fda79d9d2a6df152bdb7eb1aceb36f3fbcf60c3
SHA512

7c14e97ff23cd34f302658a498e26d694b1d501390536eee51f9e9e2bfc68306b59362d66b7c11d364d2cc7d2e6ed78912b505476e78ae2e928fd859e2c104bd
SSDEEP

98304:GrZtcyQgVa9BjWmic5fcD75vuHgdtZgC:GsRgVa9ltc35WHG7

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	denver.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	denver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	denver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
988	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1376	denver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	denver.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	denver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1376	denver.exe
988	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 988	1376	denver.exe	28
PID 1376 wrote to memory of 988	1376	denver.exe	28
PID 1376 wrote to memory of 988	1376	denver.exe	28

C:\Users\Admin\AppData\Local\Temp\denver.exe
"C:\Users\Admin\AppData\Local\Temp\denver.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
843.5MB

MD5
51fc82f0e012da69930eecdf8fbe2ff2

SHA1
4b0096a7725afb8520e8978a55d130c9f5350f9e

SHA256
c1816e899e97bf5222ea40f6022b0ad686b19e30aa2f7a146fe4255d4be6c6b2

SHA512
5315c1cdfcad56f21f6735764fc1596b77b980f222463232fef84745e793daef4020bedff45d5e610c7b69249c8ffa9d7a254d41d8ca9118e5f1ffd4b39e97cf

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
843.5MB

MD5
51fc82f0e012da69930eecdf8fbe2ff2

SHA1
4b0096a7725afb8520e8978a55d130c9f5350f9e

SHA256
c1816e899e97bf5222ea40f6022b0ad686b19e30aa2f7a146fe4255d4be6c6b2

SHA512
5315c1cdfcad56f21f6735764fc1596b77b980f222463232fef84745e793daef4020bedff45d5e610c7b69249c8ffa9d7a254d41d8ca9118e5f1ffd4b39e97cf

Download Submit
memory/988-81-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-93-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-84-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-103-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-102-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-101-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-100-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-82-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-67-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-68-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-69-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-71-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-99-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-73-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-74-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-75-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-76-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-77-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-78-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-80-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-72-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-98-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-97-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-85-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-86-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-87-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-88-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-89-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-90-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-91-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-92-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-96-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-94-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/988-95-0x0000000000C70000-0x0000000001493000-memory.dmp

Filesize
8.1MB

Download
memory/1376-58-0x0000000000940000-0x0000000001163000-memory.dmp

Filesize
8.1MB

Download
memory/1376-59-0x0000000000940000-0x0000000001163000-memory.dmp

Filesize
8.1MB

Download
memory/1376-66-0x0000000000940000-0x0000000001163000-memory.dmp

Filesize
8.1MB

Download
memory/1376-54-0x0000000000940000-0x0000000001163000-memory.dmp

Filesize
8.1MB

Download
memory/1376-55-0x0000000000940000-0x0000000001163000-memory.dmp

Filesize
8.1MB

Download
memory/1376-56-0x0000000000940000-0x0000000001163000-memory.dmp

Filesize
8.1MB

Download
memory/1376-61-0x0000000000940000-0x0000000001163000-memory.dmp

Filesize
8.1MB

Download
memory/1376-60-0x0000000000940000-0x0000000001163000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads