laplas | 77530f67cff4fc2456c0b27abf28d1ab1f4f10fd9be039783adfa25ed1f7f196 | Triage

Analysis

max time kernel
139s
max time network
154s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 06:33 UTC

Sharing

Report Analysis Logs

General

Target

f2e100f576b44fdb37d874db2e48085c.exe
Size

4.4MB
MD5

f2e100f576b44fdb37d874db2e48085c
SHA1

23091a0b5231d69d85866fede573b25577e20414
SHA256

77530f67cff4fc2456c0b27abf28d1ab1f4f10fd9be039783adfa25ed1f7f196
SHA512

14bd861a48f201a195d322e4c00f758996d2be8b6d78a1c927af53a00e029e9be7db4002c48a80f88d2869e9ba412724ec7a47c8da09faf79133df2edc608f85
SSDEEP

98304:fqemq9DObUSOLZ27MJuUfg7Jb/0RCh2fc/xVzVALUx:PzD3SFEuUfcLwCh2Q/RAY

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f2e100f576b44fdb37d874db2e48085c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f2e100f576b44fdb37d874db2e48085c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f2e100f576b44fdb37d874db2e48085c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
3064	f2e100f576b44fdb37d874db2e48085c.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	f2e100f576b44fdb37d874db2e48085c.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f2e100f576b44fdb37d874db2e48085c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3064	f2e100f576b44fdb37d874db2e48085c.exe
2256	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2256	3064	f2e100f576b44fdb37d874db2e48085c.exe	29
PID 3064 wrote to memory of 2256	3064	f2e100f576b44fdb37d874db2e48085c.exe	29
PID 3064 wrote to memory of 2256	3064	f2e100f576b44fdb37d874db2e48085c.exe	29

C:\Users\Admin\AppData\Local\Temp\f2e100f576b44fdb37d874db2e48085c.exe
"C:\Users\Admin\AppData\Local\Temp\f2e100f576b44fdb37d874db2e48085c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2256

Network

DNS

lpls.tuktuk.ug

ntlhost.exe

Remote address:

8.8.8.8:53

Request

lpls.tuktuk.ug

IN A

Response

lpls.tuktuk.ug

IN A

45.66.230.149
GET

http://lpls.tuktuk.ug/bot/regex

ntlhost.exe

Remote address:

45.66.230.149:80

Request

GET /bot/regex HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 10 Jul 2023 06:33:27 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

ntlhost.exe

Remote address:

45.66.230.149:80

Request

GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 10 Jul 2023 06:33:28 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://lpls.tuktuk.ug/bot/regex

ntlhost.exe

Remote address:

45.66.230.149:80

Request

GET /bot/regex HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 10 Jul 2023 06:34:33 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

ntlhost.exe

Remote address:

45.66.230.149:80

Request

GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 10 Jul 2023 06:34:33 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
GET

http://lpls.tuktuk.ug/bot/regex

ntlhost.exe

Remote address:

45.66.230.149:80

Request

GET /bot/regex HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 10 Jul 2023 06:35:39 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
GET

http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

ntlhost.exe

Remote address:

45.66.230.149:80

Request

GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 10 Jul 2023 06:35:39 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive

45.66.230.149:80

http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

http

ntlhost.exe

1.6kB
4.3kB
15
20

HTTP Request

GET http://lpls.tuktuk.ug/bot/regex

HTTP Response

200

HTTP Request

GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

HTTP Response

200

HTTP Request

GET http://lpls.tuktuk.ug/bot/regex

HTTP Response

200

HTTP Request

GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

HTTP Response

200

HTTP Request

GET http://lpls.tuktuk.ug/bot/regex

HTTP Response

200

HTTP Request

GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

HTTP Response

200

8.8.8.8:53

lpls.tuktuk.ug

dns

ntlhost.exe

60 B
76 B
1
1

DNS Request

lpls.tuktuk.ug

DNS Response

45.66.230.149

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
743.4MB

MD5
3fbf49633fa76fe203f55b1cd98fe6ba

SHA1
3f8a742b348cbf8e09e2d12889ac81bcbc09b244

SHA256
3c50b55a724ee55cf876dc7f5feb3db45e568816e6fc4de799817d260b428e25

SHA512
a56b50ab9df26204cf1b78f19725351526bc93ba3b9286c473545c684e44c8341f0290ba4ce23a94f843ed2675a73e107ced8beb48e098698e0e2624ed5dcd48

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
743.4MB

MD5
3fbf49633fa76fe203f55b1cd98fe6ba

SHA1
3f8a742b348cbf8e09e2d12889ac81bcbc09b244

SHA256
3c50b55a724ee55cf876dc7f5feb3db45e568816e6fc4de799817d260b428e25

SHA512
a56b50ab9df26204cf1b78f19725351526bc93ba3b9286c473545c684e44c8341f0290ba4ce23a94f843ed2675a73e107ced8beb48e098698e0e2624ed5dcd48

Download Submit
memory/2256-73-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-79-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-90-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-89-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-88-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-87-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-86-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-85-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-67-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-68-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-69-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-71-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-70-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-72-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-84-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-75-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-81-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-76-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-77-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-78-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-74-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/2256-80-0x0000000000960000-0x00000000012B5000-memory.dmp

Filesize
9.3MB

Download
memory/3064-54-0x0000000000340000-0x0000000000C95000-memory.dmp

Filesize
9.3MB

Download
memory/3064-58-0x0000000000340000-0x0000000000C95000-memory.dmp

Filesize
9.3MB

Download
memory/3064-66-0x0000000000340000-0x0000000000C95000-memory.dmp

Filesize
9.3MB

Download
memory/3064-55-0x0000000000340000-0x0000000000C95000-memory.dmp

Filesize
9.3MB

Download
memory/3064-57-0x0000000000340000-0x0000000000C95000-memory.dmp

Filesize
9.3MB

Download
memory/3064-60-0x0000000000340000-0x0000000000C95000-memory.dmp

Filesize
9.3MB

Download
memory/3064-61-0x0000000000340000-0x0000000000C95000-memory.dmp

Filesize
9.3MB

Download
memory/3064-59-0x0000000000340000-0x0000000000C95000-memory.dmp

Filesize
9.3MB

Download