Analysis

  • max time kernel
    123s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2023 16:33

General

  • Target

    tmp.exe

  • Size

    4.0MB

  • MD5

    d076c4b5f5c42b44d583c534f78adbe7

  • SHA1

    c35478e67d490145520be73277cd72cd4e837090

  • SHA256

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

  • SHA512

    b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

  • SSDEEP

    49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe

Malware Config

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    716.7MB

    MD5

    efa8c406f6c9419d312f09e75eaad521

    SHA1

    d1d6505bd03cfb2f86f6c57059efc22720be47e1

    SHA256

    57952bb3e2a811e4cf3145a652d969c963d7aedb6798fbc82660284235302d98

    SHA512

    88d3ff2dfd8238c45c487c39000216161a10d160a4c3d48e4610f6914d80eb942459b8cee096e91eaa3490a7c9a83c0ec7481105d1103183490be1636adccb4a

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    702.4MB

    MD5

    4f7170a45250a6b5ae6f219bb0e06b5e

    SHA1

    b917a5e4aa4bd84f5638b8a949fc75c078480ae0

    SHA256

    5b23c6354d89a57678c0a57ad80a40e79d77d224fcd10d4d2cab013b341d12e7

    SHA512

    f414aebef9b7289a99c43e736392138351aa2f02eb6f28607095fc54ebe7b6435a17e444415952b99494b1558102fb2a5ac4cc8ef3729c8b40e1d486d3d9382a

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    703.2MB

    MD5

    15fe403893c0f5ffe2132e628162faa8

    SHA1

    4b583564be506eb62342a2c0b392f7c40bed7259

    SHA256

    d81961a39ca2375ea52af26017929b476a5cc54efc2e9ba482c472ae4070ddce

    SHA512

    9fb4c8a0e285c6fc7bdc2aaef2fdb88908fef9095b3538f4cff291bb5eac330e457426edaecd5eba78dd1ca0f202fdf0a85d5fb6257bb4db9222cfa8c6188778