MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49d4689b5641b161f0ab00aa490ea276fcab2128cb33d802fab9154b83516569. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49d4689b5641b161f0ab00aa490ea276fcab2128cb33d802fab9154b83516569
SHA3-384 hash: dace9ff28f408aea355c2914d3c0ebe02f0dd312796665c3dbd9dcbc5fdc649a3fc045cfd147c11715bcd46ce959dcc1
SHA1 hash: 1b0b21207777bed6e187adfdf9d3b2d1db40e298
MD5 hash: 6e494069f55de7049a5699dd72301b4b
humanhash: oven-illinois-london-seventeen
File name:6e494069f55de7049a5699dd72301b4b.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:5'763'080 bytes
First seen:2023-02-23 03:20:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f540b6d6dcfc33b21d0deb0ccba24751 (3 x RedLineStealer, 2 x PrivateLoader, 2 x Amadey)
ssdeep 98304:6BkLi3hdqYnPhrisRYrS806k+tPhAxw8qmVoaDwyqXyR2me7Pi2YazxTYB/y2kZZ:6BUimURi506phmVonCMPTzxMB/WVn
Threatray 6 similar samples on MalwareBazaar
TLSH T150462323E36508D7DCA48934883B7FE073F5D5664991D77B269A66CA7E3B1B4AC03803
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4d0c0e49892b2a2 (1 x PrivateLoader, 1 x LaplasClipper, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe LaplasClipper signed

Code Signing Certificate

Organisation:HDD`WOW Toshiba SATA-III 12Tb HDWG460EZSTA N300 (7200rpm) 1568`Mb 1.5 Rtl
Issuer:HDD`WOW Toshiba SATA-III 12Tb HDWG460EZSTA N300 (7200rpm) 1568`Mb 1.5 Rtl
Algorithm:sha1WithRSAEncryption
Valid from:2023-02-16T17:39:55Z
Valid to:2033-02-17T17:39:55Z
Serial number: 1701f2ecbdc601b24b8fbbe631f75b99
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 59d4a20948fee2d525022241ca0f405f7cd461740df308547f438f8382f41c2e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
LaplasClipper C2:
51.89.204.181:22299

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6e494069f55de7049a5699dd72301b4b.exe
Verdict:
Malicious activity
Analysis date:
2023-02-23 03:22:01 UTC
Tags:
evasion opendir loader trojan rat redline stealer
Link:
https://app.any.run/tasks/d01817ff-c99d-4932-9384-c81a38e72644

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369153/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
Replacing files
DNS request
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Forced system process termination
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed raccoon shell32.dll
Link:
https://www.filescan.io/uploads/63f6dba1b53d126ad265bb60/reports/bb5bd3af-fb43-4518-88a9-697555c17a9e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/49d4689b5641b161f0ab00aa490ea276fcab2128cb33d802fab9154b83516569
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d437f645-6bf0-47ab-a454-dacdbb61aeeb
Result
Threat name:
Amadey, Fabookie, Glupteba, Nymaim, Priv
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181043
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates an autostart registry key pointing to binary in C:\Windows
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops PE files with benign system names
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Glupteba
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 813874 Sample: 7pjhVL87ft.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 129 45.12.253.98 CMCSUS Germany 2->129 167 Multi AV Scanner detection for domain / URL 2->167 169 Malicious sample detected (through community Yara rule) 2->169 171 Antivirus detection for URL or domain 2->171 173 22 other signatures 2->173 11 7pjhVL87ft.exe 11 77 2->11         started        16 svchost.exe 1 2->16         started        18 svchost.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 153 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->153 155 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->155 159 20 other IPs or domains 11->159 115 C:\Users\...\q5AeKrXstCk8pcWeLpjOtg6H.exe, PE32 11->115 dropped 117 C:\Users\...\mykHepYWaSdMDbVWQ3fI1sZw.exe, PE32 11->117 dropped 119 C:\Users\...\l9Zzjpg4kjzje8sZIuydOLTU.exe, PE32 11->119 dropped 121 18 other malicious files 11->121 dropped 201 Creates HTML files with .exe extension (expired dropper behavior) 11->201 203 Disables Windows Defender (deletes autostart) 11->203 205 Tries to harvest and steal browser information (history, passwords, etc) 11->205 209 3 other signatures 11->209 22 ellfu7H0ZEwULM2vLbkpmn7_.exe 17 11->22         started        26 cu9Bewj3PJcz_Q9O8N0qJAtE.exe 11->26         started        28 q5AeKrXstCk8pcWeLpjOtg6H.exe 1 4 11->28         started        36 9 other processes 11->36 157 51.104.136.2 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 16->157 207 Query firmware table information (likely to detect VMs) 16->207 30 WerFault.exe 18->30         started        32 WerFault.exe 18->32         started        34 WerFault.exe 18->34         started        file6 signatures7 process8 dnsIp9 131 149.154.167.99 TELEGRAMRU United Kingdom 22->131 79 C:\Users\...\thZCXgFyhSgEyBQueiwyYyDg.exe, PE32 22->79 dropped 81 C:\Users\user\AppData\Local\...\WWW14[1].bmp, PE32 22->81 dropped 83 C:\...\PowerControl_Svc.exe, PE32 22->83 dropped 39 thZCXgFyhSgEyBQueiwyYyDg.exe 22->39         started        44 schtasks.exe 22->44         started        85 C:\Users\user\AppData\Local\...\is-SBP0Q.tmp, PE32 26->85 dropped 46 is-SBP0Q.tmp 26->46         started        87 C:\Users\user\AppData\Local\...\ngx80Za.exe, PE32 28->87 dropped 89 C:\Users\user\AppData\Local\...\kOI79Ze.exe, PE32 28->89 dropped 48 ngx80Za.exe 28->48         started        133 157.240.252.35 FACEBOOKUS United States 36->133 135 157.240.253.35 FACEBOOKUS United States 36->135 137 4 other IPs or domains 36->137 91 C:\Users\user\AppData\Local\...\Install.exe, PE32 36->91 dropped 175 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->175 177 Tries to steal Mail credentials (via file / registry access) 36->177 179 Tries to harvest and steal browser information (history, passwords, etc) 36->179 181 7 other signatures 36->181 50 MFi2W700i5aBq9uy1CkNAmPF.exe 36->50         started        52 Install.exe 36->52         started        54 chrome.exe 36->54         started        56 9 other processes 36->56 file10 signatures11 process12 dnsIp13 139 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 39->139 141 95.142.206.1 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 39->141 149 7 other IPs or domains 39->149 93 C:\Users\...\wHk6Vndm7x7_ZbyeMdy1xlVc.exe, PE32 39->93 dropped 95 C:\Users\...\mih4qstrMiqRNSXXBJ9L4fbv.exe, PE32+ 39->95 dropped 97 C:\Users\...\gs3_P67VwvARqwEXDTc3885M.exe, PE32+ 39->97 dropped 105 13 other malicious files 39->105 dropped 185 Multi AV Scanner detection for dropped file 39->185 187 Creates HTML files with .exe extension (expired dropper behavior) 39->187 189 Disables Windows Defender (deletes autostart) 39->189 193 2 other signatures 39->193 58 conhost.exe 44->58         started        99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->99 dropped 107 9 other files (7 malicious) 46->107 dropped 60 FRec223.exe 46->60         started        64 Conhost.exe 46->64         started        109 2 other malicious files 48->109 dropped 66 nRv52Bp.exe 48->66         started        101 C:\Windows\rss\csrss.exe, PE32 50->101 dropped 191 Creates an autostart registry key pointing to binary in C:\Windows 50->191 103 C:\Users\user\AppData\Local\...\Install.exe, PE32 52->103 dropped 143 142.250.180.131 GOOGLEUS United States 54->143 151 7 other IPs or domains 54->151 145 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 56->145 147 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 56->147 68 rundll32.exe 56->68         started        file14 signatures15 process16 dnsIp17 161 45.12.253.56 CMCSUS Germany 60->161 163 45.12.253.72 CMCSUS Germany 60->163 165 45.12.253.75 CMCSUS Germany 60->165 123 C:\Users\user\AppData\Roaming\...\YSD5zS.exe, PE32 60->123 dropped 70 YSD5zS.exe 60->70         started        125 C:\Users\user\AppData\Local\...\nWA44wQ.exe, PE32 66->125 dropped 127 C:\Users\user\AppData\Local\...\drd85CX.exe, PE32 66->127 dropped 73 nWA44wQ.exe 66->73         started        file18 process19 file20 183 Multi AV Scanner detection for dropped file 70->183 111 C:\Users\user\AppData\Local\...\bVf76Bc.exe, PE32 73->111 dropped 113 C:\Users\user\AppData\Local\...\auW89hv.exe, PE32 73->113 dropped 76 auW89hv.exe 73->76         started        signatures21 process22 signatures23 195 Detected unpacking (changes PE section rights) 76->195 197 Detected unpacking (overwrites its own PE header) 76->197 199 Disable Windows Defender notifications (registry) 76->199
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/49d4689b5641b161f0ab00aa490ea276fcab2128cb33d802fab9154b83516569/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-18 22:53:14 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhkgrg2wigywd4flacvesdvco36kwijizmz5qax2xekuxa2rmvuq._file
Verdict:
malicious
Similar samples:
147b5d6c844bd5f6962ca6ab96a0ce8103eac401ec77a61f3632e14757c199c2
LaplasClipper
39c748040f01c934c73c23f4612cb33a0846219d8dd7ba3e0adbbc9d047027e4
LaplasClipper
3f7646cd60e5f51c13eb35ef9f00d10c66fc309b486498a1978cccc2405d3373
LaplasClipper
7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97
LaplasClipper
ca10c218c7ed12f56148c11d31a0698c8d232064faba12402c16b70f7e34bf55
LaplasClipper
d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a
LaplasClipper
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230223-dwb8jsgd7z/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
VMProtect packed file
PrivateLoader
Unpacked files
SH256 hash:
49d4689b5641b161f0ab00aa490ea276fcab2128cb33d802fab9154b83516569
MD5 hash:
6e494069f55de7049a5699dd72301b4b
SHA1 hash:
1b0b21207777bed6e187adfdf9d3b2d1db40e298
Link:
https://www.unpac.me/results/49c10bac-430b-479a-bb2f-6014a1a23239/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49d4689b5641/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49d4689b5641b161f0ab00aa490ea276fcab2128cb33d802fab9154b83516569

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369153/

Comments