laplas | 379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9

General

Target

77.exe
Size

1.9MB
MD5

b109489b8bb8ca8d3c5381dd2969ddaf
SHA1

d9579ddc7520d109cb04eb79e47effafb842134a
SHA256

379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9
SHA512

f967b83e22831b814f8ac92c5438af1c47b34321feda3b779ab65e70d8e8192ece86e4482d870b6fb37734fa689f10652ff57ab71388988f71a15290772557ac
SSDEEP

49152:fcntI+Q5GuoQZyk0FXjlCt7JDjWPmMCr0fjYmzEm8SOD:0nT3TFAttXZMCr5muD

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1704	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	77.exe
1724	77.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	77.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1704	1724	77.exe	28
PID 1724 wrote to memory of 1704	1724	77.exe	28
PID 1724 wrote to memory of 1704	1724	77.exe	28
PID 1724 wrote to memory of 1704	1724	77.exe	28

C:\Users\Admin\AppData\Local\Temp\77.exe
"C:\Users\Admin\AppData\Local\Temp\77.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
445.7MB

MD5
b72f4e29be8ade9fc0b8a03d6053b20a

SHA1
a8c040c25ac2ebc7d107079c4130b28e9ba0fed2

SHA256
c6ace807b1c158f20c8477b87166263311f1abeb7cb3e3a1a7e750287f60c7b3

SHA512
28db85fb7c05ff765fc62246f116e819985a68d5ce1f4dc7827bbd7a4737882e55da1f8b2716baf8ee9a642b5f1ea5fc51069e870e749ba0163103524802efa1

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
429.2MB

MD5
17774231c9ef0042f055c2ed6fd925e8

SHA1
c285ac56b30d964c01f2a922aaf38eefbcb57451

SHA256
00b4a6f74eb08e2d4acf2543abc1aec3fac8734d53b9bdd10276eb96fe61d2b9

SHA512
2a87677e75a91f5c50efb78fbd591632a07f7d758f8263aa5baf9c4201a58c64f822f05f160afcaf793ec9533766e600841dcde061445bef47bcd82cd8a1ddfe

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
423.8MB

MD5
57c146df03f46c5e69856325cc01c1b2

SHA1
30b72d227019c512b3c3dcfc26f286477a6659f1

SHA256
5de9afefa89415ccc61154af30bd43a92dee6d63019fba648d66d7a648dd2035

SHA512
1c6c77288ee0023c8862bcd998aa63444bb41f8768fde3f88f327d91414d3eb09eb2a0391b77ff1f9463e2a05308542c26389db9552c1275b3a7ab2501c1b252

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
445.5MB

MD5
d13f0cb81439a0551151be43277dc68a

SHA1
ab117b672dd458d257aa85bf3ceea19565b4d6cc

SHA256
472edd242b216b6687dae536ecab8484fbab7b4f23fae0f782fa4ad8dad835a5

SHA512
94a7156240965aed8aa624bad55c2880ca1759047473c6c5ec1d68f19ab74cec304d5ca2d5461a7b6f80ba0213dc448d3cdd0828aa1dfc701b9132f62b176097

Download Submit
memory/1704-68-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-73-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-80-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-65-0x00000000035B0000-0x000000000375A000-memory.dmp

Filesize
1.7MB

Download
memory/1704-66-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-67-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-79-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-71-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-72-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-78-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-74-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-75-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-76-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1704-77-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1724-55-0x0000000003960000-0x0000000003D30000-memory.dmp

Filesize
3.8MB

Download
memory/1724-54-0x00000000037B0000-0x000000000395A000-memory.dmp

Filesize
1.7MB

Download
memory/1724-64-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads