laplas | 71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

Analysis

max time kernel
29s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-06-2023 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe
Size

3.8MB
MD5

68be007bd3fa09d26fcee584a9157770
SHA1

6f191c0587c8055f26367f25ce0f7787ca272714
SHA256

71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e
SHA512

f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245
SSDEEP

49152:VeCseICR7NWm8qpHakXvLQh0/50OicF5pDRXxRv0VF14L:VeCrXv0W/tpDRX5L

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1692	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1236	71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe
1236	71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1692	1236	71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe	28
PID 1236 wrote to memory of 1692	1236	71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe	28
PID 1236 wrote to memory of 1692	1236	71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe	28
PID 1236 wrote to memory of 1692	1236	71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe	28

C:\Users\Admin\AppData\Local\Temp\71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe
"C:\Users\Admin\AppData\Local\Temp\71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
648.2MB

MD5
0396b00ae41a6b9f00aaad9a21e51c6c

SHA1
55fff4131a2210b89174f809780999aa90b0adf3

SHA256
14cdb8aa1fa5a2263d148f9b828e4a3eb094816c4962d6c0ef57dc8dea518eaa

SHA512
c40f7d749dc9b1826bda25f72f716406e987cc0376ca4902e5a0ca2de614d27606c1736c1a6974ac4f4b75a1801c5863b0752b557250191b5c446498ba832cf8

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
538.1MB

MD5
a31af7bad9d54430788bd174f888278b

SHA1
e7d8aa7e63ce4e3b6774a00eacbfa1fd35def803

SHA256
e93c8539de6cb4e7d5a3b7dfc538ed439a9872ac355838ddf133756cdb1c730f

SHA512
260f5e5d78d0edb3ba47cc46b602ad5d2303c4af179aa9f10c8e356c2a67d71712d47792f72eed49fadc37c0fd58ece7bb55dd99b00e6cc9c02519035ac2074e

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
430.2MB

MD5
bca40ac9c870291e11d123c7ab7145a4

SHA1
5615ce5c7773547939104b23432a8e118f8383cb

SHA256
416276171152ea7f6c32b68d794975edebb52d9707854afdf1aa31e026ae5d25

SHA512
fa40798c729390ca0a3e55630fe4032938a10381fc876aaa3dd7b262f274a4f0b8ac30154db9c717064f185e389627c9b4d9e198d951c8edd55936da7a3932ee

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
668.8MB

MD5
25c27ecbf73f9b540d4604ff51fe9655

SHA1
c4727035ebd5c7604e4f4db4f4a7ae8b9eb03803

SHA256
b51e6218cec3e622164b0a22ee05cefbec183007fc32fc5c27fef8ee98d3b9c9

SHA512
ec4766e5f74e3a7e98b4cfaa6e90b82ee91c66917e7bf2ac1876ab04366b3a1887dea7da1eb682bcabdab03cb12433a45492b4ac966fbb40ab21a736cb9e0d37

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads