MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34ec272be14b0de074ccaa9a4b2996e6e92579f94905ed20f3370d39e41fd2a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LaplasClipper

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	34ec272be14b0de074ccaa9a4b2996e6e92579f94905ed20f3370d39e41fd2a3
SHA3-384 hash:	c4f4e2b170d05d85624a858608c2382c59d1dd5e8da337c3861d53e0453e0590eedb6cce007bb2bba5492e7afd0002a0
SHA1 hash:	cd8ae9ab0174f37dc93cb7dd5cac0112bc3390c8
MD5 hash:	aebc23ddaebc52a65e8b8ffde10a676a
humanhash:	moon-nevada-sodium-lion
File name:	aebc23ddaebc52a65e8b8ffde10a676a.exe
Download:	download sample
Signature	LaplasClipper Create hunting rule
File size:	5'003'032 bytes
First seen:	2023-02-19 03:16:01 UTC
Last seen:	2023-02-19 04:28:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	92c98556c0103feddd9baeb413d8446b (2 x Arechclient2, 2 x LaplasClipper, 1 x SystemBC)
ssdeep	98304:vl2bKPoQDDFmgy6IYUtD+5TK6h7vO7TGMzy3jJkv8G6MRL9M:DJUaIYUtDAb7Giqy308G6GC
Threatray	156 similar samples on MalwareBazaar
TLSH	T11336F18576F296C3E697DA702701BA61B6471CF34B26F5F58B3380402AFB6644C6738B
TrID	42.7% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe LaplasClipper

abuse_ch

LaplasClipper C2:
http://185.223.93.223/bot/regex

Intelligence

File Origin

# of uploads :

# of downloads :

262

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aebc23ddaebc52a65e8b8ffde10a676a.exe

Verdict:

Malicious activity

Analysis date:

2023-02-19 03:19:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2630f7d5-f4ba-4ae9-b292-b9522151d639

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/368183/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65042910.23000.31623.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/71695/overview

Behaviour

MalwareBazaar

MeasuringTime

AntidebugCommonApi

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/63f1947401b99ad33e7e63a8/reports/502c99a5-97ab-4b40-8c37-80572f73019f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/34ec272be14b0de074ccaa9a4b2996e6e92579f94905ed20f3370d39e41fd2a3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Titan Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b951f570-e281-4eb6-bf1d-616660db564b

Result

Threat name:

Laplas Clipper

Detection:

malicious

Classification:

spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1178757

Signature

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Laplas Clipper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34ec272be14b0de074ccaa9a4b2996e6e92579f94905ed20f3370d39e41fd2a3/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-01-18 03:36:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 39 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gtwcok7bjmg6a5gmvknewkmw43usk6pzjec62ihtg4gttza72krq._file

Verdict:

malicious

LaplasClipper

2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29

LaplasClipper

712c853955c56e27e3e4538978fa89018cdc5e5f56944ea0da2fc1a672adc73c

LaplasClipper

91cb8db5d8281dd6d039e981cb95d39698252373c43360ba5983aa8607e449fa

LaplasClipper

9ee2809bf58255e50d290f296b404ba79c4c3593fc48e5c125d4fb33eec23c69

LaplasClipper

b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4

LaplasClipper

c82be6d39f5dfcf23581234b22352895844b5aebb79798b3d6bd1eaf22560925

LaplasClipper

d994d8264d8511cb16ce67ed790a7896d0dbbe44d36eaffb43643ff34f3dc177

LaplasClipper

f896fb8727bf4875b091c1e1f8c20c861e8887a751ebc9922d65e8750c4ed2a8

LaplasClipper

fadd57bfef9fe4d5a74bc4a5a23e7218c7390d7b1954c0dfed8df2eaea1f6b2f

LaplasClipper

+ 146 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/230219-dsgnvsee26/

Behaviour

GoLang User-Agent

Suspicious use of WriteProcessMemory

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

34ec272be14b0de074ccaa9a4b2996e6e92579f94905ed20f3370d39e41fd2a3

MD5 hash:

aebc23ddaebc52a65e8b8ffde10a676a

SHA1 hash:

cd8ae9ab0174f37dc93cb7dd5cac0112bc3390c8

Link:

https://www.unpac.me/results/f6d4157e-65d3-4415-82a4-f4481abd1e95/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/34ec272be14b0de074ccaa9a4b2996e6e92579f94905ed20f3370d39e41fd2a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/368183/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample