laplas | 2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

Analysis

max time kernel
28s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-06-2023 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe
Size

4.0MB
MD5

d076c4b5f5c42b44d583c534f78adbe7
SHA1

c35478e67d490145520be73277cd72cd4e837090
SHA256

2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512

b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
SSDEEP

49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://185.209.161.189

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1720	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1372	2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe
1372	2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1720	1372	2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe	28
PID 1372 wrote to memory of 1720	1372	2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe	28
PID 1372 wrote to memory of 1720	1372	2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe	28

C:\Users\Admin\AppData\Local\Temp\2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe
"C:\Users\Admin\AppData\Local\Temp\2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
820.0MB

MD5
e5c3d36c43951ea89caf8ea8e717d467

SHA1
f39153014953da5afe9c95e15c26f7910b3f742d

SHA256
68bb13485b8c07bf284ab4f687c6288a13c69f6aa1cfe4808e6df127d6abd441

SHA512
0bc995b93bf0bda8da00ea8ffdf8b2969fa8c31b899309bb98983ccdcde316a37aeb1ccb07b94cce404b005fcca9c13b0c56a9182e0abb4b37185a53806847c3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
710.5MB

MD5
d07e9ed2b66cf2e7c25b75502fd417b7

SHA1
258af702df42ea3bd3a5dba58e988b5ace21d91f

SHA256
dc245340c482b2baac6c9463e0b99d8d44718bfa9a3702d5f74e200483852944

SHA512
b890afce99a633a7ae83cfc8ba4e2ea1ae16cdb3e7698c630f345d7788daf05edfd357616718fb2e4bf49d6cdc5d855543e042d4ebca2ad9023f0c5bc6031834

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
715.3MB

MD5
0ac0c79ac77b305b72e0b5b866440781

SHA1
7c8ce020905919f68fe66963a216c6bfcf352092

SHA256
5f935cd8b98e962cac6f3660904a50fc0291b20c92a1b4dffb78e6f0569b151c

SHA512
9bf9f06967d0e57b8e00afa7059eb03ff6897908d67792de24178ed73eb4d5f6bd9d521518c783b71db71a58f94c341a34cadc6bfd3dbd22bac123a6be30cb66

Download Submit