MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d2b30b68962af3d19af75515aae44eeb39031432655824b18d1121a8a582aab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d2b30b68962af3d19af75515aae44eeb39031432655824b18d1121a8a582aab
SHA3-384 hash: d04be7f8ce9c0e043a0c26107b87bba00e28c57017806ca02c3c1b352d53f3bf4bd8ecc1948ad687cac5103c7cc92911
SHA1 hash: f4e013b822ab31df44280557f6e03dfd45525e75
MD5 hash: 83432cfda6a30f376d00eba4e1e6c93f
humanhash: sixteen-social-venus-montana
File name:Installer_5.3.86.1001.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:29'324'072 bytes
First seen:2023-05-30 11:50:31 UTC
Last seen:2023-07-04 10:37:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ffd0fa11d62a03aa3299c02a14b1bf77 (2 x RecordBreaker, 1 x LaplasClipper)
ssdeep 393216:dtFUo3veUOyPie9dUYTPm50rES/6NjBhz1J1yXYrNZ/7cBnKHHAjm3ofcYy:vFUdUUYT28qj3z1yIrNBrQm3ofcYy
TLSH T151572397A5D6B2D4CB830E40A28451CE3BC1A4EE89FD966D3AC79C035074EBB458CE77
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
dhash icon 5b3931b29cd1631d (9 x LummaStealer, 3 x RemcosRAT, 2 x RedLineStealer)
Reporter iam_py_test
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
281
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://shorturl.at/lqtuW
Verdict:
Malicious activity
Analysis date:
2023-05-30 10:52:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c084b570-6946-4878-ab48-8db1dc4ed659

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Sending an HTTP POST request
Creating a file
Reading critical registry keys
Running batch commands
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Launching cmd.exe command interpreter
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88704/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypto greyware lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6475e3276407f39ba8ade71e/reports/a2c73581-5b81-42ed-a085-195843d3ad29/overview
Verdict:
Malicious
Labled as:
Infostealer/RecordStealer
Link:
https://www.hybrid-analysis.com/sample/1d2b30b68962af3d19af75515aae44eeb39031432655824b18d1121a8a582aab
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1245198
Signature
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Behaviour
Behavior Graph:
Download SVG
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=duvtbnujmkxt2gnpovivvlse52zzamkdezkyesyy2ejbvcsyfkvq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:sectoprat persistence rat spyware trojan
Link:
https://tria.ge/reports/230530-nz5z5shf7z/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Amadey
SectopRAT
SectopRAT payload
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d2b30b68962/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d2b30b68962af3d19af75515aae44eeb39031432655824b18d1121a8a582aab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

rar 30be63645e275278ad6a49cbdb88547248207337561a283d8f5792c33d662429

LaplasClipper

rar 464030cae8062dafa2a422b416a3d20607470e25fe78ab2e390bd1bc13a6fc25

LaplasClipper

Executable exe 1d2b30b68962af3d19af75515aae44eeb39031432655824b18d1121a8a582aab

(this sample)

LaplasClipper

Executable exe dafd690a0903499113b0f9c6e96f48fe5516dda430c2ba7cb3a0ca0527fae204

  
Link
https://tria.ge/230530-m4zhgshb97/behavioral2
  
Dropped by
SHA256 464030cae8062dafa2a422b416a3d20607470e25fe78ab2e390bd1bc13a6fc25
  
Dropping
SHA256 dafd690a0903499113b0f9c6e96f48fe5516dda430c2ba7cb3a0ca0527fae204
  
Dropping
SHA256 171c875a544e96c823170d1df870587300965ee069bc7dc35845b1bfccf17465
  
Dropping
SHA256 55194a6530652599dfc4af96f87f39575ddd9f7f30c912cd59240dd26373940b
  
Delivery method
Distributed via web download
  
Dropping
MD5 7338191364d7eb9a6f697f08833b7fe4
  
Dropping
MD5 fc370061296aefef63818d1a9069f21e
  
Dropped by
MD5 cf26297d2496c08b8f21d5651e413e5b

Comments