laplas | f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50

General

Target

ec8952a8dcbbfaa1fb6fda23df851402.exe
Size

1.8MB
MD5

ec8952a8dcbbfaa1fb6fda23df851402
SHA1

4fb7a97221090f3a4ff5263103623da165624881
SHA256

f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50
SHA512

33ce0a6ae2929145d75aceee5ab7ca6256c8a630ecb04f8df4addab02541b74c6a350a210cd5426466bf254699b76d8b77259b9bf969a131ca292d9d372d7ffd
SSDEEP

49152:N4o1Bkql93ztp3vKhV2E8rf/L0ZNo2gV6UlAo7TWJ:N4o1Bb73ztVv5Ei0ZTUX7Y

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://clipper.guru

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

2504 ntlhost.exe
Loads dropped DLL 2 IoCs

Processes:

ec8952a8dcbbfaa1fb6fda23df851402.exe

pid process

2988 ec8952a8dcbbfaa1fb6fda23df851402.exe
2988 ec8952a8dcbbfaa1fb6fda23df851402.exe

pid	process
2504	ntlhost.exe

pid	process
2988	ec8952a8dcbbfaa1fb6fda23df851402.exe
2988	ec8952a8dcbbfaa1fb6fda23df851402.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ec8952a8dcbbfaa1fb6fda23df851402.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	ec8952a8dcbbfaa1fb6fda23df851402.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ec8952a8dcbbfaa1fb6fda23df851402.exe

description	pid	process	target process
PID 2988 wrote to memory of 2504	2988	ec8952a8dcbbfaa1fb6fda23df851402.exe	ntlhost.exe
PID 2988 wrote to memory of 2504	2988	ec8952a8dcbbfaa1fb6fda23df851402.exe	ntlhost.exe
PID 2988 wrote to memory of 2504	2988	ec8952a8dcbbfaa1fb6fda23df851402.exe	ntlhost.exe
PID 2988 wrote to memory of 2504	2988	ec8952a8dcbbfaa1fb6fda23df851402.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\ec8952a8dcbbfaa1fb6fda23df851402.exe
"C:\Users\Admin\AppData\Local\Temp\ec8952a8dcbbfaa1fb6fda23df851402.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
- Executes dropped EXE
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
54.1MB

MD5
905194b9a7310eacf2ddf4ab93c006ad

SHA1
69448f49b71e4eddad8a833e7afd8451f1724730

SHA256
c3176380f79887478898649a08c3ca381397cfb4d8f774a93676bc1fff9a8d86

SHA512
30531db483766ba37ae93bb168914ed82eb26402f9b66a7bafc29947e2ee18c41624b89845652df4a475917a8e95eadd0bd3d6dbfb03611f5ea2d79df6225a7b

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
54.8MB

MD5
c33e43259c9712ea40fa60c5750b75bc

SHA1
c45e020958ee6a417fdcbef837a31e127d1a3a3e

SHA256
e58ed2c53724cbbb911aa0e990986acc23a49a72926afd510656bf6331357919

SHA512
59b0fb6648b5ca7bfee3669e63375e5f987ca6e8b1e22beb64c6387522560d98d16cb21db23ec848692da45257d4554b8259c25be114617817542b39fcd16976

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
56.9MB

MD5
b45501f321c1e2042431c7dedcf810ee

SHA1
02732aec3792ee98524d782fbad845217af62a58

SHA256
cb93f0044caf723e6ca8de056c8f1832d0ceb8fb7d11eaf48b6dd9ff08500b52

SHA512
b36469c1307ee33e4a7ed3197108cf1d7151a70ab1f2d2459a216fa9cd5fe27e13e1da326aad859a155cf4c1b4d89b0e7ca9c3ebc50ab908e54080a8784c3e8a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
55.4MB

MD5
b689e1556ef5317710db10fa4ac122c4

SHA1
fba4c8e80180f9577dcbd4cc21de85160a100b3b

SHA256
bc4845511dbd389db2ae753ffe9edb10ae1228a250b5814d8525de61aab2ba7a

SHA512
8d874efd6120552b03ac10107374f309cc7202f4daf59d1b931f145d5c010a6fdef0afb7fad7154ea52ff0cd9bc41c9ef661e8c2d2afd6772f9752892f6b442f

Download Submit
memory/2504-15-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-26-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-30-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-29-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-28-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-27-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-24-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-16-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-18-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-19-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-20-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2504-21-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2988-0-0x0000000002840000-0x00000000029EA000-memory.dmp

Filesize
1.7MB

Download
memory/2988-2-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2988-13-0x0000000002840000-0x00000000029EA000-memory.dmp

Filesize
1.7MB

Download
memory/2988-14-0x0000000003F30000-0x0000000004300000-memory.dmp

Filesize
3.8MB

Download
memory/2988-11-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/2988-1-0x0000000003F30000-0x0000000004300000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads