laplas | 7d9fc01649122d115d93c141b327e3b22b20f6290998670d0c068633dfcf3b4a

General

Target

vsawx.exe
Size

3.5MB
MD5

57860572c76d9e9706d5a0303f732e06
SHA1

1c961cf589208a2fafa89776ef7867cd90a943ef
SHA256

7d9fc01649122d115d93c141b327e3b22b20f6290998670d0c068633dfcf3b4a
SHA512

f71c312cc2717bebfa0116df315745aa90c2f15baa9065abc59049146391bb8f920466f8a5964b6e70a47963121f050b488412f4e8af3086eb6e04312f73cca0
SSDEEP

49152:DpB2N5pbYWxQBzIwuTwsP5nTz9KfnSUIN6d/oLRIO9MS1MXYr0fL3h:GDbdOIwHETpKfnSp+Q9IfXi4Lx

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

C2

http://85.192.40.252

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vsawx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vsawx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vsawx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
916	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1992	vsawx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	vsawx.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vsawx.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1992	vsawx.exe
916	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 916	1992	vsawx.exe	28
PID 1992 wrote to memory of 916	1992	vsawx.exe	28
PID 1992 wrote to memory of 916	1992	vsawx.exe	28

C:\Users\Admin\AppData\Local\Temp\vsawx.exe
"C:\Users\Admin\AppData\Local\Temp\vsawx.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
757.5MB

MD5
161b3516d632805d4e8fc06a99e2ffe2

SHA1
fd6300917b13a6244aa212916b2e6d2fb58a2066

SHA256
3028a072d88120fd30e2c2e291f26bd66fc9e8ab7d44f27b3210f2c43199ca4a

SHA512
622a88c9e9142e57b77e6012db044390b163107464e716f6fe49cf65d19691200942d696dd67203a0397651efb8be4e41ca92eca4dd351d43c395efab05a8eb7

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
757.5MB

MD5
161b3516d632805d4e8fc06a99e2ffe2

SHA1
fd6300917b13a6244aa212916b2e6d2fb58a2066

SHA256
3028a072d88120fd30e2c2e291f26bd66fc9e8ab7d44f27b3210f2c43199ca4a

SHA512
622a88c9e9142e57b77e6012db044390b163107464e716f6fe49cf65d19691200942d696dd67203a0397651efb8be4e41ca92eca4dd351d43c395efab05a8eb7

Download Submit
memory/916-83-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-70-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-74-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-73-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-89-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-88-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-87-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-86-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-67-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-68-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-69-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-84-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-71-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-72-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-90-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-85-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-75-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-76-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-77-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-78-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-79-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/916-82-0x0000000000EF0000-0x000000000171B000-memory.dmp

Filesize
8.2MB

Download
memory/1992-58-0x0000000000D90000-0x00000000015BB000-memory.dmp

Filesize
8.2MB

Download
memory/1992-54-0x0000000000D90000-0x00000000015BB000-memory.dmp

Filesize
8.2MB

Download
memory/1992-57-0x0000000000D90000-0x00000000015BB000-memory.dmp

Filesize
8.2MB

Download
memory/1992-55-0x0000000000D90000-0x00000000015BB000-memory.dmp

Filesize
8.2MB

Download
memory/1992-66-0x0000000000D90000-0x00000000015BB000-memory.dmp

Filesize
8.2MB

Download
memory/1992-56-0x0000000000D90000-0x00000000015BB000-memory.dmp

Filesize
8.2MB

Download
memory/1992-61-0x0000000000D90000-0x00000000015BB000-memory.dmp

Filesize
8.2MB

Download
memory/1992-60-0x0000000000D90000-0x00000000015BB000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads