laplas | 47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017

General

Target

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
Size

5.8MB
MD5

52fe687ddad6e72d8c9f79b94543cb28
SHA1

ca3771cdc25a4c3618d6746d9bae20c8a0dc48c1
SHA256

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017
SHA512

598fa486cae36ddcec368005b401da74c7c3a08586fd5995948bd9261bfadaa4d7eb4b9306bfdc99cdfc09fe93579164ba67dd090e3f6f0cc689bbdae586e8d7
SSDEEP

98304:dFMwKUb75oO8EL2TJgmgUiN+RJ/BC09WXSEKbSFa+UKiUsf+DltYg4:dFMwtPm/Em3x0cJ/BCmWzcKiXUltY

Score

10^/10

laplas clipper stealer

Malware Config

Extracted

Family

laplas

C2

45.159.188.158

Attributes

api_key
d1a05de376c0be1daa56dfb2715c8a0c5df8a111b8b31decc886df1e48db7c9c

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Sliver 32-bit implant (with and without --debug flag at compile) 7 IoCs

slive 32bit malware detected.

Processes:

resource	yara_rule
behavioral2/memory/2396-4-0x0000000000B00000-0x0000000001856000-memory.dmp	sliver_32bit
behavioral2/memory/2396-9-0x0000000000B00000-0x0000000001856000-memory.dmp	sliver_32bit
behavioral2/memory/2396-13-0x0000000000B00000-0x0000000001856000-memory.dmp	sliver_32bit
behavioral2/memory/2396-14-0x0000000000B00000-0x0000000001856000-memory.dmp	sliver_32bit
behavioral2/memory/4184-23-0x0000000000980000-0x00000000016D6000-memory.dmp	sliver_32bit
behavioral2/memory/4184-22-0x0000000000980000-0x00000000016D6000-memory.dmp	sliver_32bit
behavioral2/memory/4184-27-0x0000000000980000-0x00000000016D6000-memory.dmp	sliver_32bit

Executes dropped EXE 1 IoCs

Processes:

jGBsqiyHao.exe

pid process

4184 jGBsqiyHao.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2276 schtasks.exe

pid	process
4184	jGBsqiyHao.exe

pid	process
2276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exejGBsqiyHao.exe

pid	process
2396	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
2396	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
2396	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
2396	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
4184	jGBsqiyHao.exe
4184	jGBsqiyHao.exe
4184	jGBsqiyHao.exe
4184	jGBsqiyHao.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.execmd.exe

description	pid	process	target process
PID 2396 wrote to memory of 5064	2396	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	cmd.exe
PID 2396 wrote to memory of 5064	2396	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	cmd.exe
PID 2396 wrote to memory of 5064	2396	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	cmd.exe
PID 5064 wrote to memory of 2276	5064	cmd.exe	schtasks.exe
PID 5064 wrote to memory of 2276	5064	cmd.exe	schtasks.exe
PID 5064 wrote to memory of 2276	5064	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
"C:\Users\Admin\AppData\Local\Temp\47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C schtasks /create /tn GbXLuFISha /tr C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn GbXLuFISha /tr C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:2276

C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe
C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe
Filesize
631.7MB

MD5
243500590f1594b5f731eaf1b6634830

SHA1
8e0a30026785944a64aa6142e31e62f8b7f8f4bc

SHA256
3fd9f8c5181b2c22a6b5a39606c7ae6dacf94a32db3dcbf65f49f61bdde9bef9

SHA512
cee2acc07f787741bbca35501fb4c0e5b814398787382a18049a41675da09107268da75d9e0c3ba386d54bb5015fe5552d02c4439154d9e7200d42a2342e5e03

Download Submit
memory/2396-5-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2396-0-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2396-14-0x0000000000B00000-0x0000000001856000-memory.dmp

Filesize
13.3MB

Download
memory/2396-2-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2396-6-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2396-9-0x0000000000B00000-0x0000000001856000-memory.dmp

Filesize
13.3MB

Download
memory/2396-13-0x0000000000B00000-0x0000000001856000-memory.dmp

Filesize
13.3MB

Download
memory/2396-3-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2396-4-0x0000000000B00000-0x0000000001856000-memory.dmp

Filesize
13.3MB

Download
memory/4184-27-0x0000000000980000-0x00000000016D6000-memory.dmp

Filesize
13.3MB

Download
memory/4184-16-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/4184-19-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/4184-17-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/4184-21-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/4184-20-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/4184-23-0x0000000000980000-0x00000000016D6000-memory.dmp

Filesize
13.3MB

Download
memory/4184-22-0x0000000000980000-0x00000000016D6000-memory.dmp

Filesize
13.3MB

Download
memory/4184-18-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads