laplas | 379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9

General

Target

77exe.exe
Size

1.9MB
MD5

b109489b8bb8ca8d3c5381dd2969ddaf
SHA1

d9579ddc7520d109cb04eb79e47effafb842134a
SHA256

379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9
SHA512

f967b83e22831b814f8ac92c5438af1c47b34321feda3b779ab65e70d8e8192ece86e4482d870b6fb37734fa689f10652ff57ab71388988f71a15290772557ac
SSDEEP

49152:fcntI+Q5GuoQZyk0FXjlCt7JDjWPmMCr0fjYmzEm8SOD:0nT3TFAttXZMCr5muD

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1984	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	77exe.exe
1976	77exe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	77exe.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1984	1976	77exe.exe	28
PID 1976 wrote to memory of 1984	1976	77exe.exe	28
PID 1976 wrote to memory of 1984	1976	77exe.exe	28
PID 1976 wrote to memory of 1984	1976	77exe.exe	28

C:\Users\Admin\AppData\Local\Temp\77exe.exe
"C:\Users\Admin\AppData\Local\Temp\77exe.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
513.7MB

MD5
52bbcf63b9f7682a59cbd342916819b8

SHA1
40684ca55a12d5cfdadf015b806ad4e2f0b90c7a

SHA256
4b39fd780020e5081742ffdda8946c7bbda8865a32a2f5accf2bb6d85ace6a12

SHA512
6eca609c29a10c1b972b971d822cd82f3bb81e1bd51264553b23f1e32cc19bfa3c2798510e095914fc0aa71c3a1126f551957460c22ca407feecc540ed5df8db

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
534.4MB

MD5
e0afb3444e4916cd08acf1a7ed4d56c5

SHA1
cf94891da14ac64c824560ec6a3905d9f90392e7

SHA256
f05f2f740e8c75e224d784e697848c314b3a263559c4d458aa1f5b4661076063

SHA512
b9f124ef6b54ad689508944122327990e8fcabbbb7c77650a4c59ff5bceef9b22eb6811875c8ae67f190e444691fa232c01b91933aac3f4a9e985ad1a0b44a7d

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
343.4MB

MD5
c249fb2ec6802916b399538cbd3fb43e

SHA1
0352a983dbe8787eafbd054d75317f27e847949c

SHA256
a569de78937dce6bc82899f83a00656a5e9e6c068f99fdd38de754591611aa43

SHA512
bde2a179f9182442ade85abe92102a768609e7bed5ac6d2d6adeef0ace60644588c2dd1bb34ef0eee640525f72e38c8705f35dac639b2025b28edd15c8067a37

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
547.2MB

MD5
919ad6e392c94aeb4e53f7e15ac5fc8b

SHA1
5910d161903edd888701b565c36506ac4534d347

SHA256
16b7aaa9c5e5c3e3c454993d11c33d95a02eb7ad3549711b2589a090fdaac63d

SHA512
a5e422631c4a3ab44b633eeed9a594e2c105e878be6476a5d7e7f1d78a83327556bcf2aafa3ac0d61dc9f67930edf8ae8cec9c856a9048df9e3942c0ed3781d1

Download Submit
memory/1976-54-0x0000000003560000-0x000000000370A000-memory.dmp

Filesize
1.7MB

Download
memory/1976-55-0x0000000003710000-0x0000000003AE0000-memory.dmp

Filesize
3.8MB

Download
memory/1976-64-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-68-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-74-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-67-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-65-0x00000000035F0000-0x000000000379A000-memory.dmp

Filesize
1.7MB

Download
memory/1984-70-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-71-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-72-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-66-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-75-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-76-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-77-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-78-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-79-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download
memory/1984-80-0x0000000000400000-0x0000000001CE6000-memory.dmp

Filesize
24.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads