Analysis
-
max time kernel
131s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
05-09-2023 01:08
General
-
Target
f927d512c8ea36edb283f9e8d5e02ab4ea25b4b143ea605284a3506cd00b8b57.exe
-
Size
10.0MB
-
MD5
197bebce417f5ba6c178ee34037fbdea
-
SHA1
d9dc871f8e61e590115bae9b0d842fae0f8f52b9
-
SHA256
f927d512c8ea36edb283f9e8d5e02ab4ea25b4b143ea605284a3506cd00b8b57
-
SHA512
8cf7bde02dc86518d60f3836e86d3def9b9fcaf4242eaefccc6eaf2ffe61e7eaebc5d2ca114fc11169854726cce125e7f71cdb92214c1e248b4006afa2b223ad
-
SSDEEP
49152:4EjwvlIKv05z+UERnIcYmWjc3Cdhu5E9UFiqeb0/B1Y4kIZxdez6LK+/BV6Cbfoq:OlhWzZ6hnEciqem
Malware Config
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f927d512c8ea36edb283f9e8d5e02ab4ea25b4b143ea605284a3506cd00b8b57.exe"C:\Users\Admin\AppData\Local\Temp\f927d512c8ea36edb283f9e8d5e02ab4ea25b4b143ea605284a3506cd00b8b57.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
618.7MB
MD598bf4ad8c1fc3f9462e7e046ff0ff2b1
SHA132ca91587f99e28c3d5a687339ad4fc5b337e1d1
SHA256195c3048f57e02e66b206bf8757acbb60aa8d8d9d53a7941f62c669acd3cc29f
SHA512a1e5e1bc4b2998a1277ee2daaf9ce091cde24ed0122c7f246f98dd2db7b7b428d0fdf153046cb86c815cb174dbfbf72a843b7c57190e42d1244fd5aad3569451
-
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
638.1MB
MD504a94665771c232448b3a30d8fde7aa3
SHA17d3b044235573f995828e6eee77d814f5e152be3
SHA2567d349d34c51892cace45d0e6fca32c99042e9f63b4bdfe6a392fb9376266d841
SHA512829ce95826231a926993064883092c8e2d8ae017951c1027367c8fd98ae9b5e24fc0017ab837d882c8b5956a866304b2889f4cd67153b197ce2a5e52d6dccc25
-
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
644.7MB
MD5a221676ec5da553ece83da4cc24f7389
SHA16c285d2764acd9df0e9180e658305621a02685c2
SHA25696b126badee9732704a9b24024b09a7a69afb1f4b324ca9a38cb022e15a40ccb
SHA512b630bc660f35b6c7e26f63dca62b7c1b8a9de8cba70e343d6425acd8e9ff45655235e760e27dbba760b885dcd51917f2d07b2b59e19f0a05a4972e740502988f