MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b2ea9709e72f8fa708cfdff7561abc7da239c1d4edcb019ca471937c66b0be3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b2ea9709e72f8fa708cfdff7561abc7da239c1d4edcb019ca471937c66b0be3
SHA3-384 hash: 78328b675ea97832de9b227d350a55431762b278ce4f6010612803a1dc1f251b8e0de08c7162eae43588aeb10e86454f
SHA1 hash: cabc06e8b61367ca9c7ccfee64ac3dda76fbd977
MD5 hash: e6deec01e193a9f979bc20585c81a6f9
humanhash: alanine-massachusetts-fifteen-undress
File name:e6deec01e193a9f979bc20585c81a6f9.dll
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:1'273'048 bytes
First seen:2023-03-13 10:18:10 UTC
Last seen:2023-03-13 11:28:42 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5774734b3f34bc8eabac3f454f2a6852 (3 x LaplasClipper)
ssdeep 24576:u56/FudWvbsyrwqgUZopBRZj7FHO2xT9yd+M/LKfZUSW/MrUP:u64dWTsSELZjhHOOSKfZ6
Threatray 1 similar samples on MalwareBazaar
TLSH T12445332A1D8FEDE3CA685BB94CAFF02674D93567FC50813350F92E1A7E0A446CE64931
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon a486a622dad7ca00 (3 x LaplasClipper)
Reporter abuse_ch
Tags:dll LaplasClipper signed

Code Signing Certificate

Organisation:behind.com
Issuer:behind.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-12T19:54:39Z
Valid to:2024-03-12T20:14:39Z
Serial number: 29406bd5de6868aa467419317f2079f1
Thumbprint Algorithm:SHA256
Thumbprint: 01f71999ec3c0e7ff8e7e164bedc83334216458245006bdfae76a64f8eb1ef0a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373967/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.25922.17507.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker greyware overlay packed virut
Link:
https://www.filescan.io/uploads/640ef89815e425e0dcc1cc6f/reports/4d2193ad-ff6d-46d3-937c-09357c63d42d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1b2ea9709e72f8fa708cfdff7561abc7da239c1d4edcb019ca471937c66b0be3
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8d3b0dbc-479b-4361-8541-db575e6e4154
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1192475
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 825380 Sample: BwNrxflAqG.dll Startdate: 13/03/2023 Architecture: WINDOWS Score: 84 26 Snort IDS alert for network traffic 2->26 28 Multi AV Scanner detection for domain / URL 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Laplas Clipper 2->32 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 21 8->10         started        14 cmd.exe 1 8->14         started        16 WerFault.exe 9 8->16         started        18 conhost.exe 8->18         started        dnsIp5 24 nerf-0148-unknown.guru 79.137.195.205, 49697, 49699, 49700 PSKSET-ASRU Russian Federation 10->24 34 System process connects to network (likely due to code injection or exploit) 10->34 36 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->36 20 rundll32.exe 14->20         started        signatures6 process7 process8 22 WerFault.exe 20 9 20->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b2ea9709e72f8fa708cfdff7561abc7da239c1d4edcb019ca471937c66b0be3/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 02:27:49 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmxks4e6ol4pu4em7x7xkynly7nchha5j3olagoki4mtprtlbprq._file
Verdict:
malicious
Similar samples:
1c6be6e3a00fd2b18514ee0eb6d0b213b9cab972aa6178064156aa57eeb018bf
LaplasClipper
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230313-mch2esbh6t/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
1fefbfc9c4cce0d47dbd5901c224203e9f4ba76bd1b031756c7f3e40b20dd938
MD5 hash:
6a2cf051669fb51238787670ab159b7b
SHA1 hash:
85938a31affbaa4922ffb24c2b6ec0551608f109
Link:
https://www.unpac.me/results/508b3ce9-e2e6-4513-ac03-50f45b156337/
SH256 hash:
1b2ea9709e72f8fa708cfdff7561abc7da239c1d4edcb019ca471937c66b0be3
MD5 hash:
e6deec01e193a9f979bc20585c81a6f9
SHA1 hash:
cabc06e8b61367ca9c7ccfee64ac3dda76fbd977
Link:
https://www.unpac.me/results/508b3ce9-e2e6-4513-ac03-50f45b156337/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b2ea9709e72f8fa708cfdff7561abc7da239c1d4edcb019ca471937c66b0be3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

DLL dll 1b2ea9709e72f8fa708cfdff7561abc7da239c1d4edcb019ca471937c66b0be3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2564323/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/373967/

Comments