laplas | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08

Analysis

max time kernel
263s
max time network
295s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-09-2023 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe
Size

2.6MB
MD5

3f821e69fe1b38097b29ac284016858a
SHA1

3995cad76f1313243e5c8abce901876638575341
SHA256

203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512

704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7
SSDEEP

49152:/oLi8Bd2MIUueEcBY6rCYIvkQIIZB9mnJWUyzD8A04Z/f8I:ALi8B0MiCBbC3IIZB9cKzomZ/kI

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2828	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2828	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe
2848	ntlhost.exe

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1
HTTP User-Agent header	7	Go-http-client/1.1
HTTP User-Agent header	3	Go-http-client/1.1
HTTP User-Agent header	4	Go-http-client/1.1
HTTP User-Agent header	5	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2848	2828	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe	28
PID 2828 wrote to memory of 2848	2828	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe	28
PID 2828 wrote to memory of 2848	2828	203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe	28

C:\Users\Admin\AppData\Local\Temp\203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe
"C:\Users\Admin\AppData\Local\Temp\203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
239.5MB

MD5
ba262a3ecfb2ec80fcba6bad1c5110ef

SHA1
1d4aa0d5afabb75e3c638d6126c2857ba0afcf40

SHA256
1e2ead9c6234603c218d86d0019966e8c6eafa4b35af8fdbae76bf2d3b04418f

SHA512
6697bad4411cd8f9dd645b9424ba6c071eaf70da6f4cc9e3bd44c336a6e715f3cea2db9af8a6e416c271f75bc74b0c655bc99da195b48ed1601b86aac4547dcf

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
239.4MB

MD5
54a417d4e36cf0067988de70c35aa2e0

SHA1
1b01bcd21eb473a0f402bd095806fa30e8dc17c3

SHA256
958b280a9a0cdf7f91c86a61bae8c8c6a37a972e8ac726d866efe57f32a2652a

SHA512
3c4ac1a49f55b75c941915522a4c8ca32a099f1f2918136664f6f86d76b8f805c4c2ac73a2fd29e10f7472be2c36a0e61e8b0a6923df16f0fb6feb1b022e3eec

Download Submit
memory/2828-0-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-1-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2828-2-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2828-3-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2828-4-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/2828-6-0x0000000077880000-0x0000000077A29000-memory.dmp

Filesize
1.7MB

Download
memory/2828-5-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-7-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-8-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-9-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-10-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-11-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-12-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-14-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-15-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-13-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-17-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2828-16-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-19-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-20-0x0000000077880000-0x0000000077A29000-memory.dmp

Filesize
1.7MB

Download
memory/2828-24-0x0000000000940000-0x00000000011A8000-memory.dmp

Filesize
8.4MB

Download
memory/2828-27-0x0000000077880000-0x0000000077A29000-memory.dmp

Filesize
1.7MB

Download
memory/2828-28-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2828-25-0x00000000288A0000-0x0000000029108000-memory.dmp

Filesize
8.4MB

Download
memory/2848-26-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-29-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2848-30-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2848-32-0x0000000077880000-0x0000000077A29000-memory.dmp

Filesize
1.7MB

Download
memory/2848-33-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/2848-31-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-35-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2848-34-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-36-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-37-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-38-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-39-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-40-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-41-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-42-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-43-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-44-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-45-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-46-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2848-47-0x0000000077880000-0x0000000077A29000-memory.dmp

Filesize
1.7MB

Download
memory/2848-48-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-49-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-50-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-51-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-52-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-53-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-56-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-57-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-58-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-59-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-60-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-61-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-62-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-63-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-64-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-65-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-66-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-67-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-68-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-69-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-70-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-71-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-72-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-73-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download
memory/2848-74-0x0000000000D70000-0x00000000015D8000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads