MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9
SHA3-384 hash: d5141080577292e1d2d9c859d74f5dd8bda0458862cf9e5d62b454562b6d3065689f86dd75477961faac28f99f726025
SHA1 hash: 4e8d9b1efb8b4b7b316e5a7fd3fb808e2da759a8
MD5 hash: 7e1c47ca9cef11631ddd096c1d3639c7
humanhash: quebec-mars-pip-spaghetti
File name:file.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:588'800 bytes
First seen:2023-06-17 09:47:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2fe73b1edf18bd6736d0f71d5f78f29c (1 x LaplasClipper, 1 x RedLineStealer)
ssdeep 6144:qTov37S4OHn8MDIYKReFMjkyI/VYXVhUYbjDyVlQBCVTI:qcv37SajRVjziVq3gVlsCVT
TLSH T1A0C4183473A08C2CF9643E3B1E23FAB63558A0E6374C24A733D4C18599B15BF965F91A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe LaplasClipper

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-16 23:20:20 UTC
Tags:
installer gcleaner raccoon recordbreaker trojan loader stealer redline
Link:
https://app.any.run/tasks/cafa374f-47eb-4c62-9a90-b0a3b01fd7e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399751/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.58369.16724.20745.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91115/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/648d8153440c7d496e86f1a4/reports/96a2e68d-581f-41ac-86c9-386aba336dd9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68864246-7ce7-43ca-879e-ce3219397561
Result
Threat name:
Laplas Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256437
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889457 Sample: file.exe Startdate: 17/06/2023 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Found malware configuration 2->76 78 8 other signatures 2->78 9 file.exe 1 2->9         started        process3 signatures4 94 Contains functionality to inject code into remote processes 9->94 96 Writes to foreign memory regions 9->96 98 Allocates memory in foreign processes 9->98 100 Injects a PE file into a foreign processes 9->100 12 AppLaunch.exe 15 8 9->12         started        17 WerFault.exe 23 9 9->17         started        19 conhost.exe 9->19         started        process5 dnsIp6 60 95.216.249.153, 49724, 81 HETZNER-ASDE Germany 12->60 62 bluestaks.novationgroups.com 50.31.188.9, 443, 49726, 49727 SERVERCENTRALUS United States 12->62 64 api.ip.sb 12->64 52 C:\Users\user\AppData\...\p5zl9bq82kjf7.exe, PE32 12->52 dropped 54 C:\Users\user\AppData\...\Upshotox64.exe, PE32 12->54 dropped 56 C:\Users\user\AppData\...\ClipperDoej4oa.exe, PE32 12->56 dropped 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->102 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->104 106 Tries to harvest and steal browser information (history, passwords, etc) 12->106 108 Tries to steal Crypto Currency Wallets 12->108 21 Upshotox64.exe 1 12->21         started        24 ClipperDoej4oa.exe 1 2 12->24         started        27 p5zl9bq82kjf7.exe 1 12->27         started        58 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->58 dropped file7 signatures8 process9 file10 80 Multi AV Scanner detection for dropped file 21->80 82 Machine Learning detection for dropped file 21->82 84 Writes to foreign memory regions 21->84 29 AppLaunch.exe 1 21->29         started        33 conhost.exe 21->33         started        35 WerFault.exe 21->35         started        50 C:\Users\user\AppData\Roaming\...\ntlhost.exe, PE32 24->50 dropped 86 Antivirus detection for dropped file 24->86 88 Creates multiple autostart registry keys 24->88 37 ntlhost.exe 24->37         started        90 Allocates memory in foreign processes 27->90 92 Injects a PE file into a foreign processes 27->92 39 AppLaunch.exe 27->39         started        41 WerFault.exe 19 9 27->41         started        43 conhost.exe 27->43         started        45 AppLaunch.exe 27->45         started        signatures11 process12 dnsIp13 66 65.109.64.82, 4308, 49731 ALABANZA-BALTUS United States 29->66 110 Creates autostart registry keys with suspicious values (likely registry only malware) 29->110 112 Creates multiple autostart registry keys 29->112 114 Creates an autostart registry key pointing to binary in C:\Windows 29->114 68 45.159.189.105, 49735, 80 HOSTING-SOLUTIONSUS Netherlands 37->68 116 Antivirus detection for dropped file 37->116 47 WerFault.exe 17 11 39->47         started        signatures14 process15 dnsIp16 70 192.168.2.1 unknown unknown 47->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-06-17 04:20:37 UTC
File Type:
PE (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aldeb3z2zhl7vdertmhxfo4fie7ph2mahuwqsetxxgt4ih2s5hmq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:laplas family:redline botnet:2 clipper infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230617-lsr4labc47/
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Executes dropped EXE
Downloads MZ/PE file
Laplas Clipper
RedLine
Malware Config
C2 Extraction:
95.216.249.153:81
http://45.159.189.105
Unpacked files
SH256 hash:
d3328508bdb70df86bb6557c03ad3b1ab46eab7cc3d918e27d36120ce1a16868
MD5 hash:
7f56baf8ab69d57f016de1c238db7c42
SHA1 hash:
a2c9ff3c80c824b27c48ed7246d9b1ff7e7b2e48
Link:
https://www.unpac.me/results/9eb3f6e2-1642-4bf8-8dcd-477f99bcc7be/
SH256 hash:
4cfcb5252b9dc0cd6a8e6fdcfce4b71b4fc7a22dbe2592c1a1830c382746096b
MD5 hash:
5cc6eba5212c6ee96dbcc75c68efcc0e
SHA1 hash:
2bbefc88d1a04e3a3a03e4dc9d63f70d686fb245
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9eb3f6e2-1642-4bf8-8dcd-477f99bcc7be/
Parent samples :
dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049
02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9
8794abaf3a4964f9ffbcc0f75bd96af30b4b6b4e307c048eb497ae2dc4458c27
a63139a21058e0e9e39b22c8b293f409d4382a66b6824c2ab89c1172daf16e3e
SH256 hash:
02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9
MD5 hash:
7e1c47ca9cef11631ddd096c1d3639c7
SHA1 hash:
4e8d9b1efb8b4b7b316e5a7fd3fb808e2da759a8
Link:
https://www.unpac.me/results/9eb3f6e2-1642-4bf8-8dcd-477f99bcc7be/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02c640ef3ac9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/399751/

Comments