laplas | d90c43d06b684c83b0831aae86c5ca523c692e4db1e67eb0dce5ebd927bf576b

General

Target

F1LES-S0ft.rar
Size

23.6MB
Sample

230619-mxfrssdd26
MD5

2c2f238f70bd38ac0ff0bd013c4e5a40
SHA1

c2edd71ecbee8a669a39037ebdcbdb154e63f720
SHA256

d90c43d06b684c83b0831aae86c5ca523c692e4db1e67eb0dce5ebd927bf576b
SHA512

063b6cb26a194b507cabf7a87053f6fe2bdb284fa23e3c00cf19dd792099459ab4aa40bf8559ad11e9a059e724a4619808163e3d6e83cd19c0fbb455f608a384
SSDEEP

393216:Z1QWpjCDzlbRBsQq/+FwPzit5Xrkkjov4wEy/hOHPJqzhczZWLWiA1yy2U5U99BW:5pWDpbRBsQq/L+sAwE8ORqiwLrA1yLUh

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

4.3

Botnet

7b7fdb9f9b9361515285b7dadea32e20

C2

https://steamcommunity.com/profiles/76561199514261168

https://t.me/kamaprimo

Attributes

profile_id_v2
7b7fdb9f9b9361515285b7dadea32e20
user_agent
Mozilla/5.0 (Linux; U; Tizen 2.0; en-us) AppleWebKit/537.1 (KHTML, like Gecko) Mobile TizenBrowser/2.0

Extracted

Family

laplas

C2

http://185.209.161.89

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Targets

- Target
  
  Set-up32Х64bit.exe
- Size
  
  679.4MB
- MD5
  
  966ec75230924b2b513a0863e9e7beaa
- SHA1
  
  0e6e3a39a15a0d2070ac950319f385827d05f4de
- SHA256
  
  695f49289cd6e738df053992689d2852ab0b409ed33381955b85c11cf7e1db6d
- SHA512
  
  6bb2152db314eefebaffb0069382c454602ded0771d1ef0985ea06e0348d565d123beb40da434ae63eb84debfcf420c45da150bc0a9fa7d3701772b4c83bca95
- SSDEEP
  
  12582912:3eQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQyQy:3ennnnnnnnnnnnnnnnnnnnnnnnnnnnnr
Score

10^/10

laplas vidar xmrig 7b7fdb9f9b9361515285b7dadea32e20 clipper discovery evasion miner persistence spyware stealer trojan
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  hppdgenio.sys
- Size
  
  39KB
- MD5
  
  b45c736a5f1653e81eb278df962e6890
- SHA1
  
  770abe29778947799074c2e71580cfb76d6c9b2a
- SHA256
  
  15e5ded4f51777960913296c8ae49aa7d1d0df7e123dc3eb6bac281e7334d88a
- SHA512
  
  e59d1b0cd3a88758595cf715275830558501a2fd98f5a90eb33b7ee683a670d163202edd252d6f0b71660d059c4ea20cc995d4d6de67bec902bd8537114a6f54
- SSDEEP
  
  768:WmcItzJ2999/CABg31+4XwB+MLzX6niDZVCLlbGZmDPgF:nqY7ELCZG4DPgF
Score

1^/10
behavioral3 behavioral4