laplas | 47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017

General

Target

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
Size

5.8MB
MD5

52fe687ddad6e72d8c9f79b94543cb28
SHA1

ca3771cdc25a4c3618d6746d9bae20c8a0dc48c1
SHA256

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017
SHA512

598fa486cae36ddcec368005b401da74c7c3a08586fd5995948bd9261bfadaa4d7eb4b9306bfdc99cdfc09fe93579164ba67dd090e3f6f0cc689bbdae586e8d7
SSDEEP

98304:dFMwKUb75oO8EL2TJgmgUiN+RJ/BC09WXSEKbSFa+UKiUsf+DltYg4:dFMwtPm/Em3x0cJ/BCmWzcKiXUltY

Score

10^/10

laplas clipper stealer

Malware Config

Extracted

Family

laplas

C2

45.159.188.158

Attributes

api_key
d1a05de376c0be1daa56dfb2715c8a0c5df8a111b8b31decc886df1e48db7c9c

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

jGBsqiyHao.exe

pid process

2940 jGBsqiyHao.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2008 schtasks.exe

pid	process
2940	jGBsqiyHao.exe

pid	process
2008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exejGBsqiyHao.exe

pid	process
1448	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
1448	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
2940	jGBsqiyHao.exe
2940	jGBsqiyHao.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.execmd.exetaskeng.exe

description	pid	process	target process
PID 1448 wrote to memory of 2712	1448	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	cmd.exe
PID 1448 wrote to memory of 2712	1448	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	cmd.exe
PID 1448 wrote to memory of 2712	1448	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	cmd.exe
PID 1448 wrote to memory of 2712	1448	47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe	cmd.exe
PID 2712 wrote to memory of 2008	2712	cmd.exe	schtasks.exe
PID 2712 wrote to memory of 2008	2712	cmd.exe	schtasks.exe
PID 2712 wrote to memory of 2008	2712	cmd.exe	schtasks.exe
PID 2712 wrote to memory of 2008	2712	cmd.exe	schtasks.exe
PID 2524 wrote to memory of 2940	2524	taskeng.exe	jGBsqiyHao.exe
PID 2524 wrote to memory of 2940	2524	taskeng.exe	jGBsqiyHao.exe
PID 2524 wrote to memory of 2940	2524	taskeng.exe	jGBsqiyHao.exe
PID 2524 wrote to memory of 2940	2524	taskeng.exe	jGBsqiyHao.exe
PID 2524 wrote to memory of 2940	2524	taskeng.exe	jGBsqiyHao.exe
PID 2524 wrote to memory of 2940	2524	taskeng.exe	jGBsqiyHao.exe
PID 2524 wrote to memory of 2940	2524	taskeng.exe	jGBsqiyHao.exe

C:\Users\Admin\AppData\Local\Temp\47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe
"C:\Users\Admin\AppData\Local\Temp\47c1302a6362defa7ae3e1d9f3f67059fc147677fdac70aa394583280ff54017.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /tn GbXLuFISha /tr C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GbXLuFISha /tr C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:2008

C:\Windows\system32\taskeng.exe
taskeng.exe {AF7201B7-024F-4358-A826-0CCAA583027E} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe
  C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe

Filesize
625.0MB

MD5
127c6426525ca4656d5a9b3b2873da48

SHA1
f4eb1fd3853613c9d5ca539ff213b5b22cc2020b

SHA256
65d014ebac43db8572626730549a97b0ea607eb141e8cf0ec23144bb8a27337e

SHA512
1e2db78f332b084aeb97da05815b9be5eacd05acde30e3f2d17eac7e9f01b39c998baf3a096ee05850f73311b7784046ed94a077caf13aa1fd090b49f06aee85

Download Submit
C:\Users\Admin\AppData\Roaming\GbXLuFISha\jGBsqiyHao.exe

Filesize
625.0MB

MD5
127c6426525ca4656d5a9b3b2873da48

SHA1
f4eb1fd3853613c9d5ca539ff213b5b22cc2020b

SHA256
65d014ebac43db8572626730549a97b0ea607eb141e8cf0ec23144bb8a27337e

SHA512
1e2db78f332b084aeb97da05815b9be5eacd05acde30e3f2d17eac7e9f01b39c998baf3a096ee05850f73311b7784046ed94a077caf13aa1fd090b49f06aee85

Download Submit
memory/1448-36-0x00000000013A0000-0x00000000020F6000-memory.dmp

Filesize
13.3MB

Download
memory/1448-23-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1448-6-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1448-8-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1448-10-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1448-15-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1448-5-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1448-18-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1448-20-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1448-37-0x00000000013A0000-0x00000000020F6000-memory.dmp

Filesize
13.3MB

Download
memory/1448-25-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1448-30-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1448-28-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1448-31-0x00000000013A0000-0x00000000020F6000-memory.dmp

Filesize
13.3MB

Download
memory/1448-0-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1448-4-0x00000000013A0000-0x00000000020F6000-memory.dmp

Filesize
13.3MB

Download
memory/1448-13-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1448-2-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2940-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2940-43-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2940-45-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2940-50-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2940-60-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2940-68-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2940-70-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2940-65-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2940-63-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2940-58-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2940-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2940-42-0x0000000000310000-0x0000000001066000-memory.dmp

Filesize
13.3MB

Download
memory/2940-48-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2940-75-0x0000000000310000-0x0000000001066000-memory.dmp

Filesize
13.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads