MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5138461b9ded244d5a6c962573a011067e01f50a986d22c18b15efc1e4c17d0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5138461b9ded244d5a6c962573a011067e01f50a986d22c18b15efc1e4c17d0f
SHA3-384 hash: c29239991265b6af515acb96d41dbffe3a37e81bbc2fadc48c435cd24280450a9302b1c85d666c4ec5c64a00af5ece39
SHA1 hash: 99ba21231977ca41cf50ac4517825ba43d8989cb
MD5 hash: 86dc6e519b6b69f30a10cf6d4717d75a
humanhash: crazy-failed-music-uniform
File name:86dc6e519b6b69f30a10cf6d4717d75a.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:5'778'096 bytes
First seen:2023-03-06 04:55:16 UTC
Last seen:2023-03-06 06:37:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20fcca9c4f6d6a96b55e9305c9ac59ff (3 x RedLineStealer, 2 x Tofsee, 2 x LaplasClipper)
ssdeep 98304:pMM4Ei5NMwuOOaoi8wt02QseDVEFDVZ3c/quoHNXEjWouU7GVXNdiPS+Jg4fBEuR:pl4bNMjZwK2ODVQDVkMXLDIqXNdvIpEG
Threatray 9 similar samples on MalwareBazaar
TLSH T135462363416122D9C0F9C83D8537FDA7B1F6322A4A91A8B465D979C53F36CF1E213E82
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe LaplasClipper signed

Code Signing Certificate

Organisation:Samsung NET Q32R404FHWI RC65R539FHIZCI
Issuer:Samsung NET Q32R404FHWI RC65R539FHIZCI
Algorithm:sha1WithRSAEncryption
Valid from:2023-02-27T19:26:42Z
Valid to:2033-02-28T19:26:42Z
Serial number: 4becba79344483864db36695181a6f2a
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: feda856e225be18241baeee9f15bc2d59b43c108bc886b96dcb86d8f22c2d913
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
LaplasClipper C2:
193.233.20.27:4123

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
86dc6e519b6b69f30a10cf6d4717d75a.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 04:56:56 UTC
Tags:
evasion opendir
Link:
https://app.any.run/tasks/42c96552-91a6-43ff-9621-d5c6071bdc52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371768/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65738514.10794.15140.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
Replacing files
DNS request
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64057264bfec0852a68f8fdc/reports/91489acb-dd5e-4eff-9e3d-dac8a14162d8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5138461b9ded244d5a6c962573a011067e01f50a986d22c18b15efc1e4c17d0f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Fabookie, Glupteba, ManusCrypt, Nymaim,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187503
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Fabookie
Yara detected Glupteba
Yara detected ManusCrypt
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 820379 Sample: Oni0s7R353.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 105 45.12.253.98 CMCSUS Germany 2->105 135 Multi AV Scanner detection for domain / URL 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 Antivirus detection for URL or domain 2->139 141 21 other signatures 2->141 9 Oni0s7R353.exe 10 56 2->9         started        14 rundll32.exe 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 117 91.215.85.15 PINDC-ASRU Russian Federation 9->117 119 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 9->119 123 19 other IPs or domains 9->123 97 C:\Users\...\rglN7J7910sO94vcCGv7uTYb.exe, PE32 9->97 dropped 99 C:\Users\...\qaNMEH5ob49N19__aV5j2e1B.exe, PE32 9->99 dropped 101 C:\Users\...\lb9c17y1GKmTGr7TDV3Pqjj_.exe, PE32 9->101 dropped 103 22 other malicious files 9->103 dropped 177 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->177 179 Creates HTML files with .exe extension (expired dropper behavior) 9->179 181 Disables Windows Defender (deletes autostart) 9->181 185 3 other signatures 9->185 20 EzAOBFHMld0D7O2xsueh0PHY.exe 9->20         started        23 SY9vwyLmu7Ri_ZTUTHXe6rHx.exe 2 9->23         started        25 qaNMEH5ob49N19__aV5j2e1B.exe 9->25         started        33 11 other processes 9->33 29 rundll32.exe 14->29         started        183 Changes security center settings (notifications, updates, antivirus, firewall) 16->183 121 192.168.2.1 unknown unknown 18->121 31 WerFault.exe 18->31         started        file6 signatures7 process8 dnsIp9 61 C:\Windows\Temp\321.exe, PE32 20->61 dropped 63 C:\Windows\Temp\1234.exe, PE32 20->63 dropped 65 C:\Windows\Temp\123.exe, PE32 20->65 dropped 35 123.exe 20->35         started        38 321.exe 20->38         started        67 C:\Users\user\AppData\Local\...\is-88PUK.tmp, PE32 23->67 dropped 42 is-88PUK.tmp 23->42         started        125 172.67.222.163 CLOUDFLARENETUS United States 25->125 127 188.114.96.3 CLOUDFLARENETUS European Union 25->127 69 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 25->69 dropped 75 5 other malicious files 25->75 dropped 153 Tries to steal Mail credentials (via file / registry access) 25->153 155 Tries to harvest and steal browser information (history, passwords, etc) 25->155 157 Writes to foreign memory regions 29->157 159 Allocates memory in foreign processes 29->159 161 Creates a thread in another existing process (thread injection) 29->161 129 149.154.167.99 TELEGRAMRU United Kingdom 33->129 131 23.254.227.202 HOSTWINDSUS United States 33->131 133 7 other IPs or domains 33->133 71 C:\Users\...\jxHeQSWXWbbGYDK3y_X0Iv1X.exe, PE32 33->71 dropped 73 C:\Users\user\AppData\...\svcservice.exe, PE32 33->73 dropped 77 4 other malicious files 33->77 dropped 163 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->163 165 Maps a DLL or memory area into another process 33->165 167 Checks if the current machine is a virtual machine (disk enumeration) 33->167 169 Injects a PE file into a foreign processes 33->169 44 photo77.exe 33->44         started        46 675rgiI1jECEv1LKXcn6sAI7.exe 33->46         started        48 WerFault.exe 33->48         started        50 3 other processes 33->50 file10 signatures11 process12 dnsIp13 143 Multi AV Scanner detection for dropped file 35->143 145 Writes to foreign memory regions 35->145 147 Allocates memory in foreign processes 35->147 149 Injects a PE file into a foreign processes 35->149 52 conhost.exe 35->52         started        107 127.0.0.1 unknown unknown 38->107 79 C:\Users\user\AppData\...\DownloadMetadata, PDP-11 38->79 dropped 151 Tries to harvest and steal browser information (history, passwords, etc) 38->151 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->81 dropped 83 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 42->83 dropped 85 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 42->85 dropped 93 7 other files (5 malicious) 42->93 dropped 54 FRec36.exe 42->54         started        87 C:\Users\user\AppData\Local\...\photi64.exe, PE32 44->87 dropped 89 C:\Users\user\AppData\Local\...\image59.exe, PE32 44->89 dropped 58 image59.exe 44->58         started        91 C:\Users\user\AppData\Local\Temp\db.dll, PE32 46->91 dropped 109 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 48->109 file14 signatures15 process16 dnsIp17 111 45.12.253.56 CMCSUS Germany 54->111 113 45.12.253.72 CMCSUS Germany 54->113 115 45.12.253.75 CMCSUS Germany 54->115 95 C:\Users\user\AppData\...95edRfMRne2.exe, PE32 54->95 dropped 171 Detected unpacking (changes PE section rights) 58->171 173 Detected unpacking (overwrites its own PE header) 58->173 175 Disable Windows Defender notifications (registry) 58->175 file18 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5138461b9ded244d5a6c962573a011067e01f50a986d22c18b15efc1e4c17d0f/
Threat name:
Win32.Infostealer.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-02 00:39:02 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ke4emg455use2wtmsysxhiaraz7ad5iktbwsfqmlcxx4dzgbpuhq._file
Verdict:
malicious
Similar samples:
23c07eb780fc204fc9a5affdb4247fe72d1fdf10e081bf8095a5e2fd597422c4
LaplasClipper
3e8ac08892d633b002ebe862b10025b870e33a7a69435886c2203aa352fd2025
LaplasClipper
49d4689b5641b161f0ab00aa490ea276fcab2128cb33d802fab9154b83516569
LaplasClipper
5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419
LaplasClipper
67a95e8478140adae734fd001ef1604be1370201df0c7897c42fae643730c7c3
LaplasClipper
a777c3095983c8f298af961c4414ca0d6daa942f6136f4a8c950f11cf13fb1b2
LaplasClipper
ca10c218c7ed12f56148c11d31a0698c8d232064faba12402c16b70f7e34bf55
LaplasClipper
d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a
LaplasClipper
de905b4833434a3f8065f6b05b28b0d44465386052f86223fbdacd53b0278986
LaplasClipper
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230306-fkpevaag56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
b3e2249be0370d7ee011e97fdd71878f8adea20b744368741f5b2b28f1b56ce7
MD5 hash:
f95deac7b5ee43b4e926456e1e0b364a
SHA1 hash:
a4761344133769ea4420e214f77f2de26a30d9e4
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/6386174b-b308-438c-8ae7-240ca01ab537/
SH256 hash:
5138461b9ded244d5a6c962573a011067e01f50a986d22c18b15efc1e4c17d0f
MD5 hash:
86dc6e519b6b69f30a10cf6d4717d75a
SHA1 hash:
99ba21231977ca41cf50ac4517825ba43d8989cb
Link:
https://www.unpac.me/results/6386174b-b308-438c-8ae7-240ca01ab537/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5138461b9ded/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5138461b9ded244d5a6c962573a011067e01f50a986d22c18b15efc1e4c17d0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371768/

Comments