laplas | d398d687d76426465501c32c830c6c3298d471bab4223bc6f9ac7d4b30ae558b

General

Target

soft.exe
Size

4.2MB
MD5

da89628d89735a5320da0513608b2fd4
SHA1

44b8b35ff51a2e1c7a67c03b243ca467b21b3bb4
SHA256

d398d687d76426465501c32c830c6c3298d471bab4223bc6f9ac7d4b30ae558b
SHA512

9dbe9849c77262227a5a75348a164e6246a8d52a2e65907ef9681687d119a59b40dfd6f8f5b8fcf0f77509a11a7fb8f54b6990814c1958a5e28607e6c896540a
SSDEEP

98304:JQCHegVO9xselnvc9DzG7xxBFKyfmtKNP0R2h7b2:JjHhIxjvc9cxrKHtyc4b2

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.33

Attributes

api_key
d1a05de376c0be1daa56dfb2715c8a0c5df8a111b8b31decc886df1e48db7c9c

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

1812 ntlhost.exe
Loads dropped DLL 1 IoCs

Processes:

soft.exe

pid process

2312 soft.exe

pid	process
1812	ntlhost.exe

pid	process
2312	soft.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

soft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	soft.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

soft.exentlhost.exe

pid process

2312 soft.exe
1812 ntlhost.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 2 Go-http-client/1.1

pid	process
2312	soft.exe
1812	ntlhost.exe

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

soft.exe

description	pid	process	target process
PID 2312 wrote to memory of 1812	2312	soft.exe	ntlhost.exe
PID 2312 wrote to memory of 1812	2312	soft.exe	ntlhost.exe
PID 2312 wrote to memory of 1812	2312	soft.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\soft.exe
"C:\Users\Admin\AppData\Local\Temp\soft.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
791.2MB

MD5
13147cce55e392288aa0b48916075fcc

SHA1
40c8c339e57931e986c455a1eb6a99f74181d799

SHA256
557a3f6c5eedd1a16cba39f0d6713bce1c4881459ebb930132f767cf1e23a272

SHA512
a0c351d8be2b3eae7eabb8e0d3bfe9c9cedd4f696a14b4594cbe6ef386adf02cd8833e8bef9d2d7b02a0b2816c6bdc4aa7dd9f5de15aa20586874b6f8dbd2cde

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
791.2MB

MD5
13147cce55e392288aa0b48916075fcc

SHA1
40c8c339e57931e986c455a1eb6a99f74181d799

SHA256
557a3f6c5eedd1a16cba39f0d6713bce1c4881459ebb930132f767cf1e23a272

SHA512
a0c351d8be2b3eae7eabb8e0d3bfe9c9cedd4f696a14b4594cbe6ef386adf02cd8833e8bef9d2d7b02a0b2816c6bdc4aa7dd9f5de15aa20586874b6f8dbd2cde

Download Submit
memory/1812-103-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-104-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-119-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-118-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-87-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-86-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-116-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-115-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-114-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-113-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-112-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-111-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-110-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-109-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-108-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-107-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-106-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-77-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-105-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-102-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-78-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/1812-79-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-80-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-81-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-82-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-83-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-84-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-85-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-117-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-101-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-88-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-89-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-90-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-91-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/1812-92-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-93-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-94-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-95-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-96-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-97-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/1812-100-0x0000000000A80000-0x00000000013A6000-memory.dmp

Filesize
9.1MB

Download
memory/2312-61-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-56-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-60-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-57-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-74-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-76-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/2312-68-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/2312-58-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-54-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-55-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/2312-66-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-67-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-65-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-64-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-63-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-62-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-70-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-59-0x0000000000860000-0x0000000001186000-memory.dmp

Filesize
9.1MB

Download
memory/2312-75-0x0000000028700000-0x0000000029026000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads