laplas | fd36a0fe2ad2825423020ef28995e2ba531180528a1dad14ac3994339efec853

General

Target

golang.exe
Size

681.7MB
MD5

8d5ef85d4a5fda23812f7c2e80d84dd4
SHA1

682705a1d5e86922ab91dd1ffbd6ea4cdd6d8012
SHA256

fd36a0fe2ad2825423020ef28995e2ba531180528a1dad14ac3994339efec853
SHA512

c8fb4bb15218d5370262a95cda853093def4e9601c50faa55d8896a59d12ad0d2df39671288e41e14ecd9ca53600f749a4dab0aea1fa642aeaca882b1512dc04
SSDEEP

49152:Qonm104JVM4OcgDuOzVxpS7fjofPc1Gi0c0coPfvC/5NUS2FB5ZrA8:Pn1V4O7uIQ7UPS053fvI5NyLM8

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0600485e41f77bbd2d4b1326d099ed57b2055cd58748ff2c8b2575fc34950a02

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	golang.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	golang.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	golang.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
1468	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1984	golang.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	golang.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	golang.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1984	golang.exe
1468	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1468	1984	golang.exe	28
PID 1984 wrote to memory of 1468	1984	golang.exe	28
PID 1984 wrote to memory of 1468	1984	golang.exe	28

C:\Users\Admin\AppData\Local\Temp\golang.exe
"C:\Users\Admin\AppData\Local\Temp\golang.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
803.1MB

MD5
91e695ad70f0c72825a1bd69bfc9fd6b

SHA1
b722846d5b2bd9988d12bb7687d1bc2da778663f

SHA256
4bbc62e3622158acce46c1deea6f586693238717d707c51790b3212370ce9c1e

SHA512
b182ff21eb7931687a6177811b5fefcd0ba3aff5ecde6669558691b316f10b7411a2c1f366ca9c24ae90c7e6e69ad396147a2164320d2e84c1f8ce35ed253066

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
839.1MB

MD5
4b8804e4621d8f157c19d34b5a90a855

SHA1
bd4a1d486bd2fdb42043aac6e8c9cb5b4e8e1dbf

SHA256
e6177da178e7ecd580d6d3e070d68fa9e64bbab466bd24ad3a41572da41d779d

SHA512
8509afc9c2e3e384485734191249b7f1223977730ef11aa740a363f9fc70e1ec64df458d00696062f0e4ffba119d7a8d5155ad5b9d6cbaa069be6c140f4e03df

Download Submit
memory/1468-81-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-84-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-73-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-74-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-90-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-89-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-88-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-87-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-75-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-78-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-83-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-70-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-71-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-72-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-82-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-91-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-79-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-77-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1468-76-0x0000000001380000-0x0000000001BCA000-memory.dmp

Filesize
8.3MB

Download
memory/1984-55-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-57-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-80-0x00000000287E0000-0x000000002902A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-54-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-58-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-69-0x00000000287E0000-0x000000002902A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-67-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-56-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-62-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-61-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-60-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download
memory/1984-59-0x0000000000A50000-0x000000000129A000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads