laplas | 379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9

General

Target

77.exe
Size

1.9MB
MD5

b109489b8bb8ca8d3c5381dd2969ddaf
SHA1

d9579ddc7520d109cb04eb79e47effafb842134a
SHA256

379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9
SHA512

f967b83e22831b814f8ac92c5438af1c47b34321feda3b779ab65e70d8e8192ece86e4482d870b6fb37734fa689f10652ff57ab71388988f71a15290772557ac
SSDEEP

49152:fcntI+Q5GuoQZyk0FXjlCt7JDjWPmMCr0fjYmzEm8SOD:0nT3TFAttXZMCr5muD

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
3076	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	77.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8B3EF617-C4A6-49C4-88A1-56380F083F16}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FC33E519-BB34-4BBC-A397-A61D1C4170ED}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{BF34FF22-6FB1-49DA-A9F4-BE6BA7D9CF21}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{85BF6DEB-DAC2-492F-AA6A-FD2EB89A781E}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2914ADBB-5B9E-4BF7-9FCB-AEF205C5DC74}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{72287944-086E-425B-890B-66B6FF3762B9}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4D818662-78F4-4F7F-A16F-EE7B85E8AE84}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3B98C64F-6FB3-4A56-BABC-1B34B0D32EE7}.catalogItem	svchost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	23	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3076	4992	77.exe	86
PID 4992 wrote to memory of 3076	4992	77.exe	86
PID 4992 wrote to memory of 3076	4992	77.exe	86

C:\Users\Admin\AppData\Local\Temp\77.exe
"C:\Users\Admin\AppData\Local\Temp\77.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:3076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
817.9MB

MD5
8937cabe984f538ae0834215445c5247

SHA1
d637fc15d9b960885133102179f84db55c5b0cb7

SHA256
059f38fc7c1d5f387d2b6b38f3bdd28a4bef449c0c66f0f8e17a0d351c5af307

SHA512
aa8487ab530b321d20a3cc0084e6cd6d50a0f2b451667f51f739cd3c4eb92195d50b08438dd2f82647c02dc1c1f0c43e5f5583820794d7896467d0f979dbf825

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
817.9MB

MD5
8937cabe984f538ae0834215445c5247

SHA1
d637fc15d9b960885133102179f84db55c5b0cb7

SHA256
059f38fc7c1d5f387d2b6b38f3bdd28a4bef449c0c66f0f8e17a0d351c5af307

SHA512
aa8487ab530b321d20a3cc0084e6cd6d50a0f2b451667f51f739cd3c4eb92195d50b08438dd2f82647c02dc1c1f0c43e5f5583820794d7896467d0f979dbf825

Download Submit
memory/3076-157-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-154-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-164-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-142-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-143-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-144-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-146-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-147-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-153-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-163-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-162-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-158-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-159-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/3076-161-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/4992-134-0x0000000003B80000-0x0000000003F50000-memory.dmp

Filesize
3.8MB

Download
memory/4992-136-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/4992-140-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads