laplas | 47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017

General

Target

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
Size

5.8MB
MD5

52fe687ddad6e72d8c9f79b94543cb28
SHA1

ca3771cdc25a4c3618d6746d9bae20c8a0dc48c1
SHA256

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017
SHA512

598fa486cae36ddcec368005b401da74c7c3a08586fd5995948bd9261bfadaa4d7eb4b9306bfdc99cdfc09fe93579164ba67dd090e3f6f0cc689bbdae586e8d7
SSDEEP

98304:dFMwKUb75oO8EL2TJgmgUiN+RJ/BC09WXSEKbSFa+UKiUsf+DltYg4:dFMwtPm/Em3x0cJ/BCmWzcKiXUltY

Score

10^/10

laplas clipper stealer

Malware Config

Extracted

Family

laplas

C2

45.159.188.158

Attributes

api_key
d1a05de376c0be1daa56dfb2715c8a0c5df8a111b8b31decc886df1e48db7c9c

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Sliver 32-bit implant (with and without --debug flag at compile) 4 IoCs

slive 32bit malware detected.

resource	yara_rule
behavioral1/memory/1952-3-0x0000000000300000-0x0000000001056000-memory.dmp	sliver_32bit
behavioral1/memory/1952-36-0x0000000000300000-0x0000000001056000-memory.dmp	sliver_32bit
behavioral1/memory/2612-72-0x00000000009C0000-0x0000000001716000-memory.dmp	sliver_32bit
behavioral1/memory/2612-74-0x00000000009C0000-0x0000000001716000-memory.dmp	sliver_32bit

Executes dropped EXE 1 IoCs

pid	Process
2612	jGBsqiyHao.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1952	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
1952	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
2612	jGBsqiyHao.exe
2612	jGBsqiyHao.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2908	1952	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	28
PID 1952 wrote to memory of 2908	1952	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	28
PID 1952 wrote to memory of 2908	1952	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	28
PID 1952 wrote to memory of 2908	1952	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	28
PID 2908 wrote to memory of 2708	2908	cmd.exe	30
PID 2908 wrote to memory of 2708	2908	cmd.exe	30
PID 2908 wrote to memory of 2708	2908	cmd.exe	30
PID 2908 wrote to memory of 2708	2908	cmd.exe	30
PID 2504 wrote to memory of 2612	2504	taskeng.exe	34
PID 2504 wrote to memory of 2612	2504	taskeng.exe	34
PID 2504 wrote to memory of 2612	2504	taskeng.exe	34
PID 2504 wrote to memory of 2612	2504	taskeng.exe	34
PID 2504 wrote to memory of 2612	2504	taskeng.exe	34
PID 2504 wrote to memory of 2612	2504	taskeng.exe	34
PID 2504 wrote to memory of 2612	2504	taskeng.exe	34

C:\Users\Admin\AppData\Local\Temp\47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
"C:\Users\Admin\AppData\Local\Temp\47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /tn GbXLuFISha /tr C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GbXLuFISha /tr C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:2708

C:\Windows\system32\taskeng.exe
taskeng.exe {7D5A824C-2542-4072-9583-DAD4A942DA0D} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe
  C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe

Filesize
626.1MB

MD5
2d554e4d5c225ad3e17abd080594efe9

SHA1
45487d766db2220c0cfafa6aac428fae046d2753

SHA256
0d7221ca347419c07b3b025c0a658852ff8c35354e4712d0d0bcd45a45f3b3c5

SHA512
913f62a210b8864860e5e1a7b58bb4fd5f38662b8f513e5ffac6bc66ab73ed1197d5186aa1a4c37653d4ed209002b9afc6aa0aca10f262432d447a7d9bf7cdfc

Download Submit
C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe

Filesize
626.1MB

MD5
2d554e4d5c225ad3e17abd080594efe9

SHA1
45487d766db2220c0cfafa6aac428fae046d2753

SHA256
0d7221ca347419c07b3b025c0a658852ff8c35354e4712d0d0bcd45a45f3b3c5

SHA512
913f62a210b8864860e5e1a7b58bb4fd5f38662b8f513e5ffac6bc66ab73ed1197d5186aa1a4c37653d4ed209002b9afc6aa0aca10f262432d447a7d9bf7cdfc

Download Submit
memory/1952-15-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1952-6-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1952-5-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1952-8-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1952-10-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1952-13-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1952-0-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1952-18-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1952-20-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1952-23-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1952-25-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1952-28-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1952-30-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1952-36-0x0000000000300000-0x0000000001056000-memory.dmp

Filesize
13.3MB

Download
memory/1952-3-0x0000000000300000-0x0000000001056000-memory.dmp

Filesize
13.3MB

Download
memory/1952-2-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2612-51-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2612-53-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2612-63-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2612-61-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2612-58-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2612-68-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2612-66-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2612-56-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2612-46-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2612-48-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2612-72-0x00000000009C0000-0x0000000001716000-memory.dmp

Filesize
13.3MB

Download
memory/2612-43-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2612-41-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2612-74-0x00000000009C0000-0x0000000001716000-memory.dmp

Filesize
13.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads