laplas | f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2023 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

signed.exe
Size

1.8MB
MD5

ec8952a8dcbbfaa1fb6fda23df851402
SHA1

4fb7a97221090f3a4ff5263103623da165624881
SHA256

f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50
SHA512

33ce0a6ae2929145d75aceee5ab7ca6256c8a630ecb04f8df4addab02541b74c6a350a210cd5426466bf254699b76d8b77259b9bf969a131ca292d9d372d7ffd
SSDEEP

49152:N4o1Bkql93ztp3vKhV2E8rf/L0ZNo2gV6UlAo7TWJ:N4o1Bb73ztVv5Ei0ZTUX7Y

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://clipper.guru

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

http://clipper.guru

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4672	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	signed.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	24	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 4672	4460	signed.exe	84
PID 4460 wrote to memory of 4672	4460	signed.exe	84
PID 4460 wrote to memory of 4672	4460	signed.exe	84

C:\Users\Admin\AppData\Local\Temp\signed.exe
"C:\Users\Admin\AppData\Local\Temp\signed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
725.8MB

MD5
373bf1386d41106b923b40cfaeee391c

SHA1
d453be281da948a635d7756fe159df15ad7aab6d

SHA256
a5cf26405cde1d3c297713a4a32a03f20b173de03c5f9adb9b1483e3d447c19b

SHA512
d3bb10ca5fb809e831634ade05ac3bf1adf69bff669158ab9fd1f5996834d5b00c85951c52bd6719a620f683941a6575ecf99401132c58b3244e9d35a3552eae

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
725.8MB

MD5
373bf1386d41106b923b40cfaeee391c

SHA1
d453be281da948a635d7756fe159df15ad7aab6d

SHA256
a5cf26405cde1d3c297713a4a32a03f20b173de03c5f9adb9b1483e3d447c19b

SHA512
d3bb10ca5fb809e831634ade05ac3bf1adf69bff669158ab9fd1f5996834d5b00c85951c52bd6719a620f683941a6575ecf99401132c58b3244e9d35a3552eae

Download Submit
memory/4460-0-0x00000000044E0000-0x000000000468A000-memory.dmp

Filesize
1.7MB

Download
memory/4460-1-0x0000000004690000-0x0000000004A60000-memory.dmp

Filesize
3.8MB

Download
memory/4460-2-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4460-4-0x00000000044E0000-0x000000000468A000-memory.dmp

Filesize
1.7MB

Download
memory/4460-5-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4460-6-0x0000000004690000-0x0000000004A60000-memory.dmp

Filesize
3.8MB

Download
memory/4460-7-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4460-11-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-15-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-25-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-12-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-17-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-18-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-20-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-23-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-14-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-27-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-30-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-31-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-33-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-36-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download
memory/4672-37-0x0000000000400000-0x00000000025C4000-memory.dmp

Filesize
33.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads