laplas | 4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64

General

Target

961751858d8b74b2dec9d4f165a0a8c0.exe
Size

1.9MB
MD5

961751858d8b74b2dec9d4f165a0a8c0
SHA1

88ca04fb4d62052614bd9da2b333ab10f5e0bfa7
SHA256

4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64
SHA512

c9625844e4acd328977d0078889497e6d8a81025d6d5da787a4ae0b9ee0fa717ee543cd7e520d26f4480265c56c0ea07ae8cecd8518f72afc59d114c605fbe4c
SSDEEP

49152:7YjDgDQj0z0HG2SYE/LA386lYmBk1U5nuyYPcEaC:7YjsEjJ33JYmSa5owC

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://clipper.guru

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://clipper.guru

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

1732 ntlhost.exe
Loads dropped DLL 2 IoCs

Processes:

961751858d8b74b2dec9d4f165a0a8c0.exe

pid process

3016 961751858d8b74b2dec9d4f165a0a8c0.exe
3016 961751858d8b74b2dec9d4f165a0a8c0.exe

pid	process
1732	ntlhost.exe

pid	process
3016	961751858d8b74b2dec9d4f165a0a8c0.exe
3016	961751858d8b74b2dec9d4f165a0a8c0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

961751858d8b74b2dec9d4f165a0a8c0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	961751858d8b74b2dec9d4f165a0a8c0.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 3 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

961751858d8b74b2dec9d4f165a0a8c0.exe

description	pid	process	target process
PID 3016 wrote to memory of 1732	3016	961751858d8b74b2dec9d4f165a0a8c0.exe	ntlhost.exe
PID 3016 wrote to memory of 1732	3016	961751858d8b74b2dec9d4f165a0a8c0.exe	ntlhost.exe
PID 3016 wrote to memory of 1732	3016	961751858d8b74b2dec9d4f165a0a8c0.exe	ntlhost.exe
PID 3016 wrote to memory of 1732	3016	961751858d8b74b2dec9d4f165a0a8c0.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\961751858d8b74b2dec9d4f165a0a8c0.exe
"C:\Users\Admin\AppData\Local\Temp\961751858d8b74b2dec9d4f165a0a8c0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
412.2MB

MD5
19ed99b0697e577a70adb6a011ff002e

SHA1
fee954bc612d6663ec31963e501fde292209b37d

SHA256
cb716a3f043fb07cfeb84d7db16843d6a2cf2174be4ab740cebadfcf70906be6

SHA512
28f0620f5152c9d1c1789ccc5cfc79d5f6298947ebcc10e03ca48b3397d60bf926c8cb52052575df17d0b64bdd106c653ac1d6ee18a6345541d48f3c4ab9f1a2

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
437.1MB

MD5
c6787868f1146fd5fbf598e51c4b3312

SHA1
8abda7c7ef57f77c99b1cc4ac37450e1fb86bb48

SHA256
89412a558bacaa42d6a9f15164ee3a96f62480646482a89accddf41729ca1b34

SHA512
be1ea7a4c03329cd64fbbad3eb7bb02c9abcf0b26b6826554eb944abfd1e38d24741d0a163768d7bfe821713e5f4d58c08b31dbdfdef20a7f92c3653bbc646a3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
422.4MB

MD5
fff92376797807e2aa08f92096582f2a

SHA1
24ba36dfff6d0f714de3d2b077f6fca4f35a6b9a

SHA256
edc4ae6194d5dceb0148ff62821a7f0b2d491ac97be62b06d92b7afe62f5a832

SHA512
43f12c31199f14fa836b5d313549f26a2eab1e5016943006f4ac5af1af6a7bd811f16a3cf322cbb6eda9ab49814b6863532cbfa9572d062f7207ab7cff4a9843

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
446.6MB

MD5
df2e9eff886b97b9a40cf51da1711475

SHA1
b76aa77ce076c6398f41b1ac0c36aad6a92f3e55

SHA256
57d5b120b94c7a8e5aae1ff5405473805fb7d5d958928c7178ed18465965bf4b

SHA512
367ed76c01ca060ce10bf158f3c6f352ed0b19d785c190b8ac15b5942484e34fa8b292b4d0615fba3860e190cfc0815d4b89a5782067dad552a00f6e5cb1011c

Download Submit
memory/1732-69-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-72-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-84-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-83-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-82-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-81-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-67-0x0000000003580000-0x0000000003950000-memory.dmp

Filesize
3.8MB

Download
memory/1732-68-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-80-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-70-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-71-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-79-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-75-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-76-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-77-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1732-78-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/3016-55-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/3016-53-0x0000000003320000-0x00000000034CA000-memory.dmp

Filesize
1.7MB

Download
memory/3016-66-0x00000000034D0000-0x00000000038A0000-memory.dmp

Filesize
3.8MB

Download
memory/3016-64-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/3016-65-0x0000000003320000-0x00000000034CA000-memory.dmp

Filesize
1.7MB

Download
memory/3016-54-0x00000000034D0000-0x00000000038A0000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads