laplas | 2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

Analysis

max time kernel
31s
max time network
140s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
22-06-2023 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.0MB
MD5

d076c4b5f5c42b44d583c534f78adbe7
SHA1

c35478e67d490145520be73277cd72cd4e837090
SHA256

2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512

b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
SSDEEP

49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://185.209.161.189

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1324	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	tmp.exe
2036	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	tmp.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1324	2036	tmp.exe	28
PID 2036 wrote to memory of 1324	2036	tmp.exe	28
PID 2036 wrote to memory of 1324	2036	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
669.6MB

MD5
5a34a1cb3fd1ca6807989bd172e9b782

SHA1
4c5d6e0554db1b5c71951db9de76aef071b2cb66

SHA256
dde44831d1ff7ff5febef9309b38b1374ee6b6e9336b44c79c7d9438a3cf49aa

SHA512
8ef1efc2a8f21f4e4385a2d07c33901f878531b268cfc2591ebaf9e8fc453424feccd2b9ceff212b87e860bdec9d9a6f0b08ae437b84904dfe1fe0a39ad0d2c2

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
679.4MB

MD5
198aa8d4e76064b893c27c3f439f4db7

SHA1
304624ad8eeee2e069f89bd6ec3d2c5c11299988

SHA256
b9f1dcbcda10fb0cb805297800eb6c1025b69e5d2175e06084e181e0f72276ec

SHA512
f0bdabfe76c56dba71783ebf19eb2939792228807392264426097f38700a6fb0a5f87c71ab6669de62866191e87ee849acda389729124b8ace6587bba8a6a084

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
627.9MB

MD5
5be43fef6cc5be08189fcf5cf08f16df

SHA1
27acc33fe2c6e65dfd51eb76444b12187af582e3

SHA256
2a1e4653347da82bed159c01bdbb16d49baa05938aa7ca43abc0bee310f7f96f

SHA512
89b30e288df9825566924671615c047b99184a2506bc00e04aaf6bf82ee54ef542d3467bdbe64ae31615eadc4b94b9f1f7ef094161abe8a5e216b6c64278fad3

Download Submit