MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cfe86681f4873302d4225d9b46bdc09245fa0e520888f66c2fe03bfa05f0b53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cfe86681f4873302d4225d9b46bdc09245fa0e520888f66c2fe03bfa05f0b53
SHA3-384 hash: 1882a9850ac12014ae5cc10ebf65f88c6e84001024c0289e1d6c30db2be7d9070d88d73717c7a73e029eb05d199451a4
SHA1 hash: a059798f55356233144d1d62435487c97f2f354d
MD5 hash: 30554f4ba333dd5c7fc9fa58829c62d0
humanhash: blue-network-magazine-coffee
File name:30554f4ba333dd5c7fc9fa58829c62d0.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:4'600'320 bytes
First seen:2023-04-12 13:06:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 98304:qPsyAq0rTgjHLNieY4Kejyzqlffm6MEQF6C+HaRxhpZjWZ5S0pnfg:qPMqC+HtTK47tQbn3ZWXro
Threatray 1'041 similar samples on MalwareBazaar
TLSH T17826339F9CB5C525DEC199F054E2038272DCDF9AABFA976723052D42C50B98DA37880F
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe LaplasClipper

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
30554f4ba333dd5c7fc9fa58829c62d0.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 13:11:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b46d9254-de62-488d-9a61-c62c9b9a596e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381817/
Detection(s):
SecuriteInfo.com.Variant.Lazy.173293.15315.2562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker packed
Link:
https://www.filescan.io/uploads/6436acf8072bc28e4595d5f5/reports/3b2ffcb6-952f-45a4-955e-372921c599e3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1cfe86681f4873302d4225d9b46bdc09245fa0e520888f66c2fe03bfa05f0b53
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6ed04871-a99a-47fe-8d90-03aa667e78c5
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212628
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cfe86681f4873302d4225d9b46bdc09245fa0e520888f66c2fe03bfa05f0b53/
Threat name:
Win64.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 13:07:08 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dt7im2a7jbztalkcexm3i264besf7ihfecei6zwc7yb37ic7bnjq._file
Verdict:
malicious
Similar samples:
3bccf05eee144854cca885ab816b75f6ce8135dd35792c6fd4470d4f7dbf9d1e
LaplasClipper
4532489becbdf07bc0a932486ab95b497113f5600c7646b635eaea9bcfa430cd
LaplasClipper
49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c
LaplasClipper
501cd8b97f8f05211634cdb5eeb69b195870bd42a9bb40c42b1af2229a8f9b15
LaplasClipper
95df8e09db02d2956bdd6a91041e3424020e9dc1e2775bac33b6c0af30fada43
LaplasClipper
b3c16003d613c90f1741bf5b9cf2f2ceb3eac08da27dacefd8162364838a3227
LaplasClipper
b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68
LaplasClipper
cdf3769ff60af93c67c52ebd0a532c40a7df454bbb217f35e8035f5e3ec4bc21
LaplasClipper
f20d42f5c2db1feca1bcf573558f24734bd6972f69eeabd86939c821afc44939
LaplasClipper
f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4
LaplasClipper
+ 1'031 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230412-qcmldsdh6y/
Behaviour
GoLang User-Agent
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
1cfe86681f4873302d4225d9b46bdc09245fa0e520888f66c2fe03bfa05f0b53
MD5 hash:
30554f4ba333dd5c7fc9fa58829c62d0
SHA1 hash:
a059798f55356233144d1d62435487c97f2f354d
Link:
https://www.unpac.me/results/2ebf76dd-bb77-4b8f-a662-2f7b7e9efe76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cfe86681f4873302d4225d9b46bdc09245fa0e520888f66c2fe03bfa05f0b53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

Executable exe 1cfe86681f4873302d4225d9b46bdc09245fa0e520888f66c2fe03bfa05f0b53

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2606997/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/381817/

Comments