laplas | 2c5c3ba7eba30cc358b40d494fda79d9d2a6df152bdb7eb1aceb36f3fbcf60c3

General

Target

539a444f8dff3d9719e36fd9db31b799.exe
Size

3.5MB
MD5

539a444f8dff3d9719e36fd9db31b799
SHA1

9b4a836511afdb230888a1e2c0698c839850d8c0
SHA256

2c5c3ba7eba30cc358b40d494fda79d9d2a6df152bdb7eb1aceb36f3fbcf60c3
SHA512

7c14e97ff23cd34f302658a498e26d694b1d501390536eee51f9e9e2bfc68306b59362d66b7c11d364d2cc7d2e6ed78912b505476e78ae2e928fd859e2c104bd
SSDEEP

98304:GrZtcyQgVa9BjWmic5fcD75vuHgdtZgC:GsRgVa9ltc35WHG7

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	539a444f8dff3d9719e36fd9db31b799.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	539a444f8dff3d9719e36fd9db31b799.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	539a444f8dff3d9719e36fd9db31b799.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
572	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
836	539a444f8dff3d9719e36fd9db31b799.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	539a444f8dff3d9719e36fd9db31b799.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	539a444f8dff3d9719e36fd9db31b799.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
836	539a444f8dff3d9719e36fd9db31b799.exe
572	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 572	836	539a444f8dff3d9719e36fd9db31b799.exe	27
PID 836 wrote to memory of 572	836	539a444f8dff3d9719e36fd9db31b799.exe	27
PID 836 wrote to memory of 572	836	539a444f8dff3d9719e36fd9db31b799.exe	27

C:\Users\Admin\AppData\Local\Temp\539a444f8dff3d9719e36fd9db31b799.exe
"C:\Users\Admin\AppData\Local\Temp\539a444f8dff3d9719e36fd9db31b799.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
756.5MB

MD5
b6ab4e8d2506ede314434ab132d4e53e

SHA1
808b76127ebb8788c1e53b65ba81c2f56bb65102

SHA256
4148b3841bef5d6e4d77952cd6d8d4212c293351518ca40ffb93ab4002647bf1

SHA512
04bb26a7e1f3070d240d13d4e7dae8c4fa287aae8bb897708b0e018c0d38a843caad5f9fd4faa58ca711c40c859c35f7e14541f20205f42350d27806df2abdb4

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
756.5MB

MD5
b6ab4e8d2506ede314434ab132d4e53e

SHA1
808b76127ebb8788c1e53b65ba81c2f56bb65102

SHA256
4148b3841bef5d6e4d77952cd6d8d4212c293351518ca40ffb93ab4002647bf1

SHA512
04bb26a7e1f3070d240d13d4e7dae8c4fa287aae8bb897708b0e018c0d38a843caad5f9fd4faa58ca711c40c859c35f7e14541f20205f42350d27806df2abdb4

Download Submit
memory/572-71-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-83-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-72-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-89-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-74-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-88-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-87-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-86-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-66-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-67-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-69-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-75-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-85-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-73-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-84-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-80-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-70-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-76-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-77-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-78-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/572-79-0x0000000000800000-0x0000000001023000-memory.dmp

Filesize
8.1MB

Download
memory/836-60-0x0000000000AA0000-0x00000000012C3000-memory.dmp

Filesize
8.1MB

Download
memory/836-57-0x0000000000AA0000-0x00000000012C3000-memory.dmp

Filesize
8.1MB

Download
memory/836-58-0x0000000000AA0000-0x00000000012C3000-memory.dmp

Filesize
8.1MB

Download
memory/836-54-0x0000000000AA0000-0x00000000012C3000-memory.dmp

Filesize
8.1MB

Download
memory/836-55-0x0000000000AA0000-0x00000000012C3000-memory.dmp

Filesize
8.1MB

Download
memory/836-65-0x0000000000AA0000-0x00000000012C3000-memory.dmp

Filesize
8.1MB

Download
memory/836-56-0x0000000000AA0000-0x00000000012C3000-memory.dmp

Filesize
8.1MB

Download
memory/836-59-0x0000000000AA0000-0x00000000012C3000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads