laplas | b20d74c759e6d677148c3cf1ddac1056631d69ec738f098d2c8103782d8d82c6

Analysis

max time kernel
130s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-07-2023 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1cd1c30f4761a2bf4c878ef0a723435.exe
Size

4.0MB
MD5

e1cd1c30f4761a2bf4c878ef0a723435
SHA1

8fe5aaf4f0906bbc33c73819fd27eb838cc096e0
SHA256

b20d74c759e6d677148c3cf1ddac1056631d69ec738f098d2c8103782d8d82c6
SHA512

ecf459342f3d6aa775fa471e9b80d457a8a6bdaae18ffe0495fb044c1a665bd6efcfe9fbf27f8e977939797b1caff468e3b5e2a41b433f080e7b63c7fc8d32d8
SSDEEP

98304:jBFr1GYY6ihQXeuhAgNcpdWK07pWUd/nwdAS:1/7kdEQUd/nwuS

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e1cd1c30f4761a2bf4c878ef0a723435.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e1cd1c30f4761a2bf4c878ef0a723435.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e1cd1c30f4761a2bf4c878ef0a723435.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2616	e1cd1c30f4761a2bf4c878ef0a723435.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	e1cd1c30f4761a2bf4c878ef0a723435.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1cd1c30f4761a2bf4c878ef0a723435.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2616	e1cd1c30f4761a2bf4c878ef0a723435.exe
2208	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2208	2616	e1cd1c30f4761a2bf4c878ef0a723435.exe	30
PID 2616 wrote to memory of 2208	2616	e1cd1c30f4761a2bf4c878ef0a723435.exe	30
PID 2616 wrote to memory of 2208	2616	e1cd1c30f4761a2bf4c878ef0a723435.exe	30

C:\Users\Admin\AppData\Local\Temp\e1cd1c30f4761a2bf4c878ef0a723435.exe
"C:\Users\Admin\AppData\Local\Temp\e1cd1c30f4761a2bf4c878ef0a723435.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
741.6MB

MD5
c29c5e789d77ebbd6e1bc2b55e41ae11

SHA1
2e36184190c5dedebacd464db8562d7a70a74a83

SHA256
fd35ddef9c5874dd2273339ec6dd1da4126973ee2f5cb842da42fc6413613483

SHA512
2ff6e570e3a49ed211dd4a5e63e163ac078ea84512d54705dcc27a109d86365de6acb58423ed66c2964184f6b0a8bdb5b66331ec67d00fc99ea048bc94417431

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
727.1MB

MD5
eeddb68b385b2c3f7f2b2fde0e883d34

SHA1
c340f244b990a48efa016787b5007ecdd858e1e4

SHA256
4126a4ee22c691afa17f086804682ed64c885479a46f024e0825a68ced06522b

SHA512
417b0a37bd0baf80128af5ce432a36f6c3b8a660fa00e1c7bdb480143063e0e4fe6ce4dcc94784474b5af080525120b29073d7a0d36865a2ea08a29e87110dfb

Download Submit
memory/2208-89-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-90-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-102-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-79-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-78-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-100-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-99-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-98-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-97-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-94-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-93-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-92-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-91-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-85-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-88-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/2208-80-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-74-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-75-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/2208-76-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-77-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-101-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-87-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-86-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-81-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-82-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-83-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2208-84-0x0000000001070000-0x00000000019CE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-59-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-73-0x0000000028750000-0x00000000290AE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-57-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-72-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/2616-54-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-70-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-71-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-55-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/2616-56-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-65-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-64-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-63-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-62-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-61-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-60-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download
memory/2616-58-0x0000000000280000-0x0000000000BDE000-memory.dmp

Filesize
9.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads