MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 7


Intelligence 7 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648
SHA3-384 hash: 1e4b3033a52bec9b33984539ca567fc3f7bbba8ae694ed6dfdcad514db593b65cae7b40b3abbd8cdc305100493bc81eb
SHA1 hash: ea8aeee11c243e3eacfa6753f708c20cbba39aac
MD5 hash: 0f6ef96c5e687631ef27f1dcd1afe7b4
humanhash: apart-mobile-timing-nitrogen
File name:0f6ef96c5e687631ef27f1dcd1afe7b4
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:12'684'504 bytes
First seen:2022-12-09 09:04:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f20145218f8ed6aecc62233c748b3dfb (2 x LaplasClipper)
ssdeep 196608:dwT9pIuAU3qr4DZDZWHvmwIHEQWiXkOSsCYSwD8Qtwi85lW:wv6YDWHvm3HznXk+C12t45lW
Threatray 440 similar samples on MalwareBazaar
TLSH T191D6CF51FAD780B5D60359300467A2BF63307D099B24DBE7EA507FAAE837AE10E33549
gimphash 3660923822578bbd6aef3a741ddef6921337e207f284d2f3bf15d8917798df01
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f0dc9e33a386c4f0 (1 x LaplasClipper)
Reporter zbetcheckin
Tags:32 exe LaplasClipper signed

Code Signing Certificate

Organisation:enormous company
Issuer:enormous company
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-08T01:13:42Z
Valid to:2023-12-08T01:33:42Z
Serial number: 6217e9c685d322b141d249412ba9a623
Thumbprint Algorithm:SHA256
Thumbprint: 93940ce1f70eef1d36bc9f502f5c021edb785aea065eb0c8f92ca3edb01e9240
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344644/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.24479.4986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
golang greyware overlay packed
Link:
https://www.filescan.io/uploads/6392fa4004e0e79bdf41c027/reports/3160c7ad-f83e-41c9-9d11-eb9376984ac0/overview
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c2e879f7-25e0-4b7c-91af-79f154555508
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1131300
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic
Tries to evade analysis by execution special instruction (VM detection)
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2022-12-08 11:29:20 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ha4buquxkauldakdbkanmaezrdinbt5eesj5h3537nznhk7jozea._file
Verdict:
malicious
Similar samples:
354ff86b7dccc955b7ce0239141ef93f4aee741f48cd02e2c3341e711f1bf370
LaplasClipper
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
LaplasClipper
c5b4ef6efd9f7da867cceb90761c47c62e882bce0cc20ca88f5f73fb7308c01c
LaplasClipper
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
LaplasClipper
c86e30382131951485a3f60819910ce781f1a2fd55967c1565a74861e3026815
LaplasClipper
d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c
LaplasClipper
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b
LaplasClipper
eed25e577021fe8f43b3b78c7ce7bd0ec0087fd53258536f262533d0cae4177f
LaplasClipper
+ 430 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/221209-k1622scg59/
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4e7a0e2d-89af-4f71-95c8-9d639677522f
Unpacked files
SH256 hash:
38381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648
MD5 hash:
0f6ef96c5e687631ef27f1dcd1afe7b4
SHA1 hash:
ea8aeee11c243e3eacfa6753f708c20cbba39aac
Link:
https://www.unpac.me/results/69300f50-d542-421f-a925-b8c8d08984b3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38381a429750/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/38381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_bin
Create hunting rule
Author:Jonathan Cole
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_build_id_strings
Create hunting rule
Author:Jonathan Cole
Description:Matches on string Golang build ID
Rule name:go_binary
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

Executable exe 38381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/344644/
  
URLhaus
https://urlhaus.abuse.ch/url/2452280/

Comments


Avatar
zbet commented on 2022-12-09 09:04:24 UTC

url : hxxp://ripple-wells-2022.net/n8exrcvvse1m2/avicapn32.exe