laplas | 1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56

General

Target

1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
Size

7.4MB
MD5

156590a4560236d1fe20019c6babbc49
SHA1

d9f5033f58f0fef0e8165b08c7a41f7b4b10a9fd
SHA256

1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56
SHA512

9f4be44f2b4b3318fe48895c0221385d5cefd0303da5da51e6788cfc0eaecd7a3c3e5db4183e829114d68d3c89ce86d630096fa91318376f105d935f8e355cc0
SSDEEP

196608:dZkKDdWzNLqrZQRcFE7qQGshXJbs0+XHeOeKpd:8WdoN2K97msvQD

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.223

Attributes

api_key
afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

ntlhost.exe

pid process

4752 ntlhost.exe

pid	process
4752	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exentlhost.exe

pid	process
1144	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
1144	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
4752	ntlhost.exe
4752	ntlhost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exentlhost.exe

pid	process
1144	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
1144	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
1144	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
1144	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
4752	ntlhost.exe
4752	ntlhost.exe
4752	ntlhost.exe
4752	ntlhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe

description	pid	process	target process
PID 1144 wrote to memory of 4752	1144	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe	ntlhost.exe
PID 1144 wrote to memory of 4752	1144	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe	ntlhost.exe
PID 1144 wrote to memory of 4752	1144	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe	ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
"C:\Users\Admin\AppData\Local\Temp\1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
1.5MB

MD5
b58e550edde6e0222e857f5e6fd9582a

SHA1
78a8a42353661ec802d612dcb1c427d80ed95d3f

SHA256
8e6261443a24145a92b25e8b86b8c1f09187090bec084c6af6ba7acc20e7eb90

SHA512
0eb53e60594f6212cb4c9469203e0bada2193cf51b8b4c96d36120d0ec71688854d23d18236ba641cc6a6b4390dfd2b6bc69faddd7ee859c6c77a33734578204

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
622KB

MD5
ffb99c37509ec723f036a4c045cee0f1

SHA1
54ed4c0171cefbc809987b4065a8a85f98b6ca32

SHA256
9f11ad5326038c1e83ed14f4e8eef2c46499b5054743adab93ae9f207f1db82c

SHA512
6fe3a53e6cf00102c5e709c82a5f56c7848ba6c2732bb98daf15d504919f3a33cd6a1f85b4f91204434a9abb62cc8d41a7b5764c79efbaba2d4f74534e9ac9a2

Download Submit
memory/1144-14-0x0000000004280000-0x0000000004683000-memory.dmp

Filesize
4.0MB

Download
memory/1144-26-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/1144-9-0x0000000003970000-0x0000000003980000-memory.dmp

Filesize
64KB

Download
memory/1144-10-0x0000000003970000-0x0000000003980000-memory.dmp

Filesize
64KB

Download
memory/1144-0-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/1144-15-0x0000000004280000-0x0000000004683000-memory.dmp

Filesize
4.0MB

Download
memory/1144-16-0x0000000004280000-0x0000000004683000-memory.dmp

Filesize
4.0MB

Download
memory/1144-17-0x0000000004280000-0x0000000004683000-memory.dmp

Filesize
4.0MB

Download
memory/1144-21-0x0000000004280000-0x0000000004683000-memory.dmp

Filesize
4.0MB

Download
memory/1144-2-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/1144-1-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/1144-6-0x0000000004280000-0x0000000004683000-memory.dmp

Filesize
4.0MB

Download
memory/4752-44-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/4752-29-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/4752-27-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/4752-33-0x0000000003F80000-0x0000000004383000-memory.dmp

Filesize
4.0MB

Download
memory/4752-37-0x0000000003670000-0x0000000003680000-memory.dmp

Filesize
64KB

Download
memory/4752-35-0x0000000003670000-0x0000000003680000-memory.dmp

Filesize
64KB

Download
memory/4752-41-0x0000000003F80000-0x0000000004383000-memory.dmp

Filesize
4.0MB

Download
memory/4752-43-0x0000000003F80000-0x0000000004383000-memory.dmp

Filesize
4.0MB

Download
memory/4752-42-0x0000000003F80000-0x0000000004383000-memory.dmp

Filesize
4.0MB

Download
memory/4752-28-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/4752-45-0x0000000003670000-0x0000000003680000-memory.dmp

Filesize
64KB

Download
memory/4752-46-0x0000000003670000-0x0000000003680000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads