MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3354463e2f9590a380956a737abfd4d18787437714b20d87b92fe3a74fe3f57e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3354463e2f9590a380956a737abfd4d18787437714b20d87b92fe3a74fe3f57e
SHA3-384 hash: 0efd1ca895a17a2e70710ed2943a6413ee772979469157122b21aa9f9946227c429b2887502de486e3a59a81743fe3bf
SHA1 hash: fa974530330dee77f1984b879d2168e7c372f876
MD5 hash: efab2f333860426613a27c22e87329e2
humanhash: music-social-blue-william
File name:efab2f333860426613a27c22e87329e2.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:342'224 bytes
First seen:2022-12-26 08:55:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f442c4c2b29757f1b5cfb6ba041da821 (1 x LaplasClipper)
ssdeep 6144:p+leC50xQSJBMc4ijt7FL81ioYcwIe9DkL3pRU51:Mkucpjt7tDU3pRU51
TLSH T154746D5337EAC812F7B947BAAC9116A4A73A7C046F53CBFB2504555C2D332D020AAE5F
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 9084c2d164bccef2 (1 x AgentTesla, 1 x Smoke Loader, 1 x LaplasClipper)
Reporter abuse_ch
Tags:exe LaplasClipper signed

Code Signing Certificate

Organisation:www.dueling.com
Issuer:www.dueling.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-25T09:31:01Z
Valid to:2023-12-25T09:51:01Z
Serial number: 6e51aa6f01ae2b8e4a963fdf0cd2502b
Thumbprint Algorithm:SHA256
Thumbprint: b822cea73461dcc1f8ea2a414185211ac595cd807146fe3407db496c95bc7a71
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
efab2f333860426613a27c22e87329e2.exe
Verdict:
Malicious activity
Analysis date:
2022-12-26 08:58:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f441b89f-2d50-4784-859b-59eb252a53e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.644.31921.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63a961a30e926711fd74b2d9/reports/fad6917c-2ee9-4e56-8467-eda73b177c26/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f0fb26e-d8bd-44b5-aa3d-84610b76b032
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1141047
Signature
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3354463e2f9590a380956a737abfd4d18787437714b20d87b92fe3a74fe3f57e/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-26 08:56:07 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnkemprpswikhaevnjzxvp6u2gdyoq3xcsza3b5zf7r2ot7d6v7a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221226-kv1yvafg9y/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
98b2ba05b2a66c305001dd36d3ce95c93cb0c77963a77a9f9141e2a530978685
MD5 hash:
8c9beee3c4b11a840ebb93cc52aa5c0e
SHA1 hash:
a2d1a6ac33a380691e2c66bb0bc4a112ddf7dada
Link:
https://www.unpac.me/results/6cf2b221-ec5c-402e-89e6-f29f7b88377e/
SH256 hash:
3354463e2f9590a380956a737abfd4d18787437714b20d87b92fe3a74fe3f57e
MD5 hash:
efab2f333860426613a27c22e87329e2
SHA1 hash:
fa974530330dee77f1984b879d2168e7c372f876
Link:
https://www.unpac.me/results/6cf2b221-ec5c-402e-89e6-f29f7b88377e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/3354463e2f9590a380956a737abfd4d18787437714b20d87b92fe3a74fe3f57e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

Executable exe 3354463e2f9590a380956a737abfd4d18787437714b20d87b92fe3a74fe3f57e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2486959/
  
Delivery method
Distributed via web download

Comments