laplas | 379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9

General

Target

b109489b8bb8ca8d3c5381dd2969ddaf.exe
Size

1.9MB
MD5

b109489b8bb8ca8d3c5381dd2969ddaf
SHA1

d9579ddc7520d109cb04eb79e47effafb842134a
SHA256

379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9
SHA512

f967b83e22831b814f8ac92c5438af1c47b34321feda3b779ab65e70d8e8192ece86e4482d870b6fb37734fa689f10652ff57ab71388988f71a15290772557ac
SSDEEP

49152:fcntI+Q5GuoQZyk0FXjlCt7JDjWPmMCr0fjYmzEm8SOD:0nT3TFAttXZMCr5muD

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
568	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1792	b109489b8bb8ca8d3c5381dd2969ddaf.exe
1792	b109489b8bb8ca8d3c5381dd2969ddaf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	b109489b8bb8ca8d3c5381dd2969ddaf.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 568	1792	b109489b8bb8ca8d3c5381dd2969ddaf.exe	28
PID 1792 wrote to memory of 568	1792	b109489b8bb8ca8d3c5381dd2969ddaf.exe	28
PID 1792 wrote to memory of 568	1792	b109489b8bb8ca8d3c5381dd2969ddaf.exe	28
PID 1792 wrote to memory of 568	1792	b109489b8bb8ca8d3c5381dd2969ddaf.exe	28

C:\Users\Admin\AppData\Local\Temp\b109489b8bb8ca8d3c5381dd2969ddaf.exe
"C:\Users\Admin\AppData\Local\Temp\b109489b8bb8ca8d3c5381dd2969ddaf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
496.2MB

MD5
655b43100162edb08921f6a8e542b1e6

SHA1
f2190efbe57f02fc6c522856a8bd0e114fe49be8

SHA256
12f651447c8b9d0f0c90b1789a98896f4b262b58c6a7c9e2579dc4851a2e326a

SHA512
e3396b1773de812c3b119c594beb9fe57d63c3f6d6a3f66342c319b77ab491c4fd2d7f135a73d83e8000be7fe999782811700bdb4a4d182b55266ef029e75ab2

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
477.6MB

MD5
6aaf93dcd0d0bc1e0feabfa87c820d8a

SHA1
fe8a71b56ddbce4ecef3d7e2abf077f8f3db72fa

SHA256
4651c4a86d1cb23e788d89a6c7efee00746444104defc4ef7441b7c1a1d87b4c

SHA512
b7e21e487806c25e54356f53d2870f8235f5f675a4f5a798fd793486099008e43bdca97923973cad2373c3f2efcca3a07fe5f6d565cc37947a478543344fb46f

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
281.4MB

MD5
2bc831f5f572c438ec2d2eb04362cc90

SHA1
492f017e3be65b9b1c772fdc9c7a13d71c7acb71

SHA256
169fafd84315a20d8156e8010545e66e7f0f0528b98e7be0ce9abb9d29c23f8f

SHA512
1cda5aa9f7036303d8016a754095f2e4f553c49c8183e73a5b822599e42e4ced030af6b5e7d7da7a1cff17190740c574a7432ea80f921b9369f3ec2264ecaa90

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
482.8MB

MD5
db694beb461b535de2262333d92dde55

SHA1
6bd72d61b9068796682baadc77a00f3fd08651b6

SHA256
01a85ff4085ce348870a419f2258bcbd1ce4ac88c4a0298945d3599aaa43202e

SHA512
ebfd035b2c5eb46d77b7051278b776a156a6bd67877551d22bb6b6ebb6950245996a2f01adc97f7f7de817ef209cff4a78dbb6a635b795478c78822090a3aa80

Download Submit
memory/568-75-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-69-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-79-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-65-0x0000000003650000-0x00000000037FA000-memory.dmp

Filesize
1.7MB

Download
memory/568-66-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-67-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-68-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-78-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-72-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-73-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-74-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-77-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/568-76-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1792-54-0x0000000003700000-0x00000000038AA000-memory.dmp

Filesize
1.7MB

Download
memory/1792-63-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1792-55-0x00000000038B0000-0x0000000003C80000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads