laplas | d398d687d76426465501c32c830c6c3298d471bab4223bc6f9ac7d4b30ae558b

General

Target

soft.exe
Size

4.2MB
MD5

da89628d89735a5320da0513608b2fd4
SHA1

44b8b35ff51a2e1c7a67c03b243ca467b21b3bb4
SHA256

d398d687d76426465501c32c830c6c3298d471bab4223bc6f9ac7d4b30ae558b
SHA512

9dbe9849c77262227a5a75348a164e6246a8d52a2e65907ef9681687d119a59b40dfd6f8f5b8fcf0f77509a11a7fb8f54b6990814c1958a5e28607e6c896540a
SSDEEP

98304:JQCHegVO9xselnvc9DzG7xxBFKyfmtKNP0R2h7b2:JjHhIxjvc9cxrKHtyc4b2

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.33

Attributes

api_key
d1a05de376c0be1daa56dfb2715c8a0c5df8a111b8b31decc886df1e48db7c9c

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

648 ntlhost.exe

pid	process
648	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

soft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	soft.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{69A0D8CD-CB4A-4A58-B189-9354164D5F96}.catalogItem	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

soft.exentlhost.exe

pid process

4880 soft.exe
648 ntlhost.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 17 Go-http-client/1.1
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

soft.exe

description pid process target process

PID 4880 wrote to memory of 648 4880 soft.exe ntlhost.exe
PID 4880 wrote to memory of 648 4880 soft.exe ntlhost.exe

pid	process
4880	soft.exe
648	ntlhost.exe

description	flow	ioc
HTTP User-Agent header	17	Go-http-client/1.1

description	pid	process	target process
PID 4880 wrote to memory of 648	4880	soft.exe	ntlhost.exe
PID 4880 wrote to memory of 648	4880	soft.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\soft.exe
"C:\Users\Admin\AppData\Local\Temp\soft.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
806.2MB

MD5
c25696ba7f45dbf195ab437b60396bc6

SHA1
f2b1717af9785ca3e31e131cf4708649450f4029

SHA256
24df2e976003eb965529f5df04df30b37df045028f03c5a09a954196aeb6a447

SHA512
94be4b3fe4f9fd2099c45cde14c9bbe5935438d6ae77b9d13a37ff98cae45c9b19fa04a01390f18734e00ea8d539e13f456215ef804165ec829a53fea8cbcc07

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
806.2MB

MD5
c25696ba7f45dbf195ab437b60396bc6

SHA1
f2b1717af9785ca3e31e131cf4708649450f4029

SHA256
24df2e976003eb965529f5df04df30b37df045028f03c5a09a954196aeb6a447

SHA512
94be4b3fe4f9fd2099c45cde14c9bbe5935438d6ae77b9d13a37ff98cae45c9b19fa04a01390f18734e00ea8d539e13f456215ef804165ec829a53fea8cbcc07

Download Submit
memory/648-166-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-183-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-199-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-198-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-167-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-196-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-195-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-194-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-193-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-192-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-191-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-190-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-189-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-188-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-187-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-186-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-185-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-154-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-184-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-156-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

Filesize
2.0MB

Download
memory/648-157-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-158-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-159-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-161-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-162-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-163-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-164-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-165-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-197-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-182-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-169-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-170-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-171-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-172-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

Filesize
2.0MB

Download
memory/648-173-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-175-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-176-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-177-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-178-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-179-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-180-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/648-181-0x0000000000600000-0x0000000000F26000-memory.dmp

Filesize
9.1MB

Download
memory/4880-137-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-155-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4880-144-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-146-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-152-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-134-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4880-135-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-136-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-147-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-148-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4880-153-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-143-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-142-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-141-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-140-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-133-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-138-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download
memory/4880-139-0x0000000001000000-0x0000000001926000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads