Analysis
-
max time kernel
123s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/02/2025, 16:53
General
-
Target
2c63c61e0adaaf669c9c674edfc9081d415c05b834611.exe
-
Size
4.0MB
-
MD5
d076c4b5f5c42b44d583c534f78adbe7
-
SHA1
c35478e67d490145520be73277cd72cd4e837090
-
SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
-
SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
SSDEEP
49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe
Score
10/10
Malware Config
Extracted
Family
laplas
C2
http://185.209.161.189
Attributes
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Laplas family
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c63c61e0adaaf669c9c674edfc9081d415c05b834611.exe"C:\Users\Admin\AppData\Local\Temp\2c63c61e0adaaf669c9c674edfc9081d415c05b834611.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
-