laplas | 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c

Analysis

max time kernel
138s
max time network
130s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02-08-2023 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4cexe_JC.exe
Size

4.0MB
MD5

3258deefff3ca70f3dfa3e67067ca611
SHA1

a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256

11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512

541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
SSDEEP

98304:kIk6g0kDf8CFjiD+THrrTfmqWAfheTYC521KuM96+/xnVA:3K0skC1k+THrrTf/c5ekwgVA

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://206.189.229.43

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2124	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2228	11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4cexe_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4cexe_JC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2228	11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4cexe_JC.exe
2124	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2124	2228	11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4cexe_JC.exe	28
PID 2228 wrote to memory of 2124	2228	11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4cexe_JC.exe	28
PID 2228 wrote to memory of 2124	2228	11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4cexe_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4cexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4cexe_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
714.0MB

MD5
bbab1237f890f837c324bb690f767ed3

SHA1
6b7074e0e58678b269b957c54ef16ac66f826e3b

SHA256
f42488cecbf98d5a1e634e93c8c59cb161ac908cfb966118c947091a0dc03593

SHA512
70a90c0a4d4709ca7dac1ffd4d73a3836f598bdaeb0450510507a901d5079c3dac737f5b01113180072b9ed153e0faed5050d16fea279d20f4dad3d65246cfdf

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
714.0MB

MD5
bbab1237f890f837c324bb690f767ed3

SHA1
6b7074e0e58678b269b957c54ef16ac66f826e3b

SHA256
f42488cecbf98d5a1e634e93c8c59cb161ac908cfb966118c947091a0dc03593

SHA512
70a90c0a4d4709ca7dac1ffd4d73a3836f598bdaeb0450510507a901d5079c3dac737f5b01113180072b9ed153e0faed5050d16fea279d20f4dad3d65246cfdf

Download Submit
memory/2124-92-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-91-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/2124-105-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-81-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-103-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-102-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-101-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-99-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-98-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-97-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-96-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-94-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-93-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-85-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-90-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-89-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-80-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-88-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-76-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-87-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-78-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/2124-79-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-82-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-104-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-86-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-83-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2124-84-0x0000000000230000-0x0000000000B73000-memory.dmp

Filesize
9.3MB

Download
memory/2228-68-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/2228-75-0x0000000028780000-0x00000000290C3000-memory.dmp

Filesize
9.3MB

Download
memory/2228-55-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/2228-77-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/2228-73-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-74-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-56-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-54-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-57-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-67-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-66-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-65-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-64-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-63-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-62-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-61-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-60-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-59-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download
memory/2228-58-0x0000000001120000-0x0000000001A63000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads