laplas | 3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269

Analysis

max time kernel
283s
max time network
278s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe
Size

4.1MB
MD5

71f04aa7d5c3232c7c2b9afad6777b53
SHA1

617487d25e1b3c27112c918e54deb744c57e9fa9
SHA256

3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269
SHA512

1068c6162f07e6123c827e3f731047a7caee91dca6a1977a6236f49c6a162cadf6d7e6c0e29baa7a61c70d378ac9356029ce4330a2eab169aa15c03b2b731ffe
SSDEEP

98304:CmICyUcKzmy4XlAD2R3e22RMHRPnZNCVb25cfFKG88ZvvRqgx:Cm/nzslADie22mHdZNh5078Cvv

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2364	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2380	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2380	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe
2364	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2364	2380	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe	28
PID 2380 wrote to memory of 2364	2380	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe	28
PID 2380 wrote to memory of 2364	2380	3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe	28

C:\Users\Admin\AppData\Local\Temp\3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe
"C:\Users\Admin\AppData\Local\Temp\3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
717.1MB

MD5
98485f17867e16b96f4be8cace5a322f

SHA1
8bf893dfe32a373da56e4737d3038e81f7f0ca13

SHA256
a682f7ce6c868cda720fc030c8ff6ef117992870a2c3d40522565b0e055825b1

SHA512
9556b52affd99f27010642bdd51e0d167b2a15e49193b2834ed62bf0f04187e28b8293bcc3e4840baaed983defc75c31d0d0c1486a9927057759aa319830c57a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
717.1MB

MD5
98485f17867e16b96f4be8cace5a322f

SHA1
8bf893dfe32a373da56e4737d3038e81f7f0ca13

SHA256
a682f7ce6c868cda720fc030c8ff6ef117992870a2c3d40522565b0e055825b1

SHA512
9556b52affd99f27010642bdd51e0d167b2a15e49193b2834ed62bf0f04187e28b8293bcc3e4840baaed983defc75c31d0d0c1486a9927057759aa319830c57a

Download Submit
memory/2364-82-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-104-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-105-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-83-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-103-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-102-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-101-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-100-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-99-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-98-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-68-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-69-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-70-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-71-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-72-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-73-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-97-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-75-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-76-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-77-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-78-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-79-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-84-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-96-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-74-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-85-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-86-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-87-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-88-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-89-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-90-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-91-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-92-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-93-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-94-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2364-95-0x0000000000A60000-0x000000000137A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-57-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-55-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-67-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-54-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-56-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-63-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-61-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-60-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-59-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download
memory/2380-58-0x0000000000980000-0x000000000129A000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads