laplas | 4fb85146079a6ad27e94e913e2302d6a47f8f5409f55f174aecdd8c99ab372ed

Analysis

max time kernel
175s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3333.exe
Size

4.6MB
MD5

10c4eb50adca0b5e5c38ae0fdfa422fc
SHA1

204fa092bd55f6c999733807115dbc5817fd2fa8
SHA256

4fb85146079a6ad27e94e913e2302d6a47f8f5409f55f174aecdd8c99ab372ed
SHA512

552fd54a83ba2bb2b64d25890aa1336ca397669fd3dbdf8bc64a3edc2bb4e71aa4207b54b09e3ca050acaf2d4cb4b56740b22152abd047e1627874a8ec968636
SSDEEP

49152:a/7FssC0KqUwzp+Z9vAaE5FKY/t764UzLUA/AOiyjrbsnnzvSn9rsPN/+9rjNvnT:K5sr4V+Zp4UzJ/TknzZ69XOY

Score

10^/10

laplas clipper stealer

Malware Config

Extracted

Family

laplas

clipper.guru

Attributes

api_key
b208717c54146010ab89e628591e2a7b11493ef1c593e7b3f15b1c06b1778d59

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
3380	AlLpDBzutF.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1708	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	81	Go-http-client/1.1

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2672	1620	3333.exe	92
PID 1620 wrote to memory of 2672	1620	3333.exe	92
PID 1620 wrote to memory of 2672	1620	3333.exe	92
PID 2672 wrote to memory of 1708	2672	cmd.exe	96
PID 2672 wrote to memory of 1708	2672	cmd.exe	96
PID 2672 wrote to memory of 1708	2672	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\3333.exe
"C:\Users\Admin\AppData\Local\Temp\3333.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /tn xGCKbNsXzq /tr C:\Users\Admin\AppData\Roaming\xGCKbNsXzq\AlLpDBzutF.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn xGCKbNsXzq /tr C:\Users\Admin\AppData\Roaming\xGCKbNsXzq\AlLpDBzutF.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:1708

C:\Users\Admin\AppData\Roaming\xGCKbNsXzq\AlLpDBzutF.exe
C:\Users\Admin\AppData\Roaming\xGCKbNsXzq\AlLpDBzutF.exe
1⤵
- Executes dropped EXE
PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\xGCKbNsXzq\AlLpDBzutF.exe

Filesize
327.0MB

MD5
15f536ac1592250296938272fec5beec

SHA1
c8d6033d00f1e5f89e722d8dda81a1a09939018a

SHA256
4b9240db66fcf17e6f7c9b4615f10a8ccf682ec0029a921f06e4b43bbe23b55a

SHA512
f1692825079dc4faaa6a465c719f3473affd21ad8b4760a8e0903e98c5e8be7b6b59a79461fdd7543de1ac0bb580b2cdd44e1bf392e87aec4559c045443bf543

Download Submit
C:\Users\Admin\AppData\Roaming\xGCKbNsXzq\AlLpDBzutF.exe

Filesize
323.4MB

MD5
be673861ae09c984f3f96def5d84006a

SHA1
ab62af547d7007b46aa05089a0eb42f77742df70

SHA256
5200d00a46bb9e733822c41e2e3769e65f715d8385d42de43d00b8db67b47601

SHA512
32e084faded145d5a05d03eecb00405eca18e7f731ae65a0cbc284bb27319318e1aa1f3f7a98b1ec2d0449a923e31b22ea18edbb86427656767d2fa633b629db

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads