laplas | 3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269

General

Target

3405a14bdc05e4bca019b1b36.exe
Size

4.1MB
MD5

71f04aa7d5c3232c7c2b9afad6777b53
SHA1

617487d25e1b3c27112c918e54deb744c57e9fa9
SHA256

3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269
SHA512

1068c6162f07e6123c827e3f731047a7caee91dca6a1977a6236f49c6a162cadf6d7e6c0e29baa7a61c70d378ac9356029ce4330a2eab169aa15c03b2b731ffe
SSDEEP

98304:CmICyUcKzmy4XlAD2R3e22RMHRPnZNCVb25cfFKG88ZvvRqgx:Cm/nzslADie22mHdZNh5078Cvv

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3405a14bdc05e4bca019b1b36.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3405a14bdc05e4bca019b1b36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3405a14bdc05e4bca019b1b36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2120	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2232	3405a14bdc05e4bca019b1b36.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	3405a14bdc05e4bca019b1b36.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3405a14bdc05e4bca019b1b36.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2232	3405a14bdc05e4bca019b1b36.exe
2120	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2120	2232	3405a14bdc05e4bca019b1b36.exe	28
PID 2232 wrote to memory of 2120	2232	3405a14bdc05e4bca019b1b36.exe	28
PID 2232 wrote to memory of 2120	2232	3405a14bdc05e4bca019b1b36.exe	28

C:\Users\Admin\AppData\Local\Temp\3405a14bdc05e4bca019b1b36.exe
"C:\Users\Admin\AppData\Local\Temp\3405a14bdc05e4bca019b1b36.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
814.2MB

MD5
2824a3dc15d4acbd842d1f6eaec74dcb

SHA1
c32b9189ad85dcfdaca464666f3fcea6f8b79d0e

SHA256
da5ab80474df5ec76e3d603c6940261fd28cdbe564cbfd435ae0882600f45ad1

SHA512
bd752130427d12d69f79c209b469cf5f4613478acdf5325fccb4c7cf43dfbfb54d55416176ffb3fa23e443e38544ce7395ac68867040075fabea8fb10aed0eb3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
802.0MB

MD5
df8c3276dbf405567cbcd4b482fc3514

SHA1
a2a0c6ec33ebdcd21de88d0ecbd8fcd2bf24144d

SHA256
16e5d95c06fdd0c1c36891ee50ff0766f630cbd124b2703e322cea5b729206a9

SHA512
6e51bc46540eb5594af78a955f1fbe26fc4a4f5960f1a750fda413afb03805780e77da689a52d7db7df861c87285bb08cdd6e5fe25c4d3e0a226672f8a43cee5

Download Submit
memory/2120-71-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-78-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-89-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-88-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-87-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-86-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-85-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-84-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-67-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-68-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-69-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-70-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-83-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-72-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-82-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-75-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-73-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-76-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-77-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-74-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2120-81-0x0000000000160000-0x0000000000A7A000-memory.dmp

Filesize
9.1MB

Download
memory/2232-58-0x0000000000E50000-0x000000000176A000-memory.dmp

Filesize
9.1MB

Download
memory/2232-54-0x0000000000E50000-0x000000000176A000-memory.dmp

Filesize
9.1MB

Download
memory/2232-66-0x0000000000E50000-0x000000000176A000-memory.dmp

Filesize
9.1MB

Download
memory/2232-55-0x0000000000E50000-0x000000000176A000-memory.dmp

Filesize
9.1MB

Download
memory/2232-57-0x0000000000E50000-0x000000000176A000-memory.dmp

Filesize
9.1MB

Download
memory/2232-61-0x0000000000E50000-0x000000000176A000-memory.dmp

Filesize
9.1MB

Download
memory/2232-60-0x0000000000E50000-0x000000000176A000-memory.dmp

Filesize
9.1MB

Download
memory/2232-59-0x0000000000E50000-0x000000000176A000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads