MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f
SHA3-384 hash: 2236a73533fc7575418bf7c8552abd315a61f573cb5b1c84e24f7267761fd80319aa66c41602207fcc3997af84148487
SHA1 hash: 638ddbe28f40ed4cc05f5a7ca6753fdb19a2f06b
MD5 hash: b7280d02fa6a49079b7d7f0aea6f3867
humanhash: pip-ceiling-magazine-johnny
File name:539a3681579af9e5c6cfb68628557212083173acd0971.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:1'766'761 bytes
First seen:2023-04-28 19:15:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/uGqKb71mKic6QL3E2vVsjECUAQT45deRV9RN:sBuZrEUz58KIy029s4C1eH9f
Threatray 174 similar samples on MalwareBazaar
TLSH T14F85CF3FF268A13EC56E1B3245739220997BBA61B81A8C1E07FC344DCF765601E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe LaplasClipper


Avatar
abuse_ch
LaplasClipper C2:
185.215.113.54:27914

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
539a3681579af9e5c6cfb68628557212083173acd0971.exe
Verdict:
Malicious activity
Analysis date:
2023-04-28 19:18:06 UTC
Tags:
installer
Link:
https://app.any.run/tasks/ff270389-2d95-42e0-b149-cbbb6e82fbb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385527/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.20995.6015.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/81834/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/644c1b72d57805c4110c294b/reports/a0a082ac-3591-4b07-a464-856e175bc8df/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332545
Link:
https://www.hybrid-analysis.com/sample/539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a79cd783-905c-42ca-b751-b65aeba17253
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/1223090
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Obfuscated command line found
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-28 19:16:08 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kondnakxtl46lrwpw2dcqvlsciedc45m2clrtryhpqaoun7zdmxq._file
Verdict:
unknown
Similar samples:
345a58b6a943b3a9235473232e3b07d8259a4a852b6b81c73412bef8a404a2f8
LaplasClipper
3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794
LaplasClipper
af7d9d69a2dfbcedc5d2e94cdb681a8ac5356131486129a4ba505a3dc6f2411e
LaplasClipper
b715f22a9e37049d09b06c26ca899c4be3c6c21386f70d6d357b3bd481ee1794
LaplasClipper
ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415
LaplasClipper
cbe9dedc91d7a886adf9f3f8a3b01d525279fd935616f10a5eb08f64882f0654
LaplasClipper
ccc6693d703b68b3bd0e697cbff8f1f59cb4b5aed29da770d8000f3dc61917c1
LaplasClipper
+ 164 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230428-xysg4afh89/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/7de5e552-5439-4d3f-97ba-c98c78992448/
SH256 hash:
624bd2507f7beb623652f6b2f856582d17c375d8cd7970541354031826f0a47f
MD5 hash:
ec6a9a70b1dcc7cd560bd53b52ca2ba7
SHA1 hash:
92b155ebc4985dd45b0763e23ce0d833e2e13ed8
Link:
https://www.unpac.me/results/7de5e552-5439-4d3f-97ba-c98c78992448/
SH256 hash:
539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f
MD5 hash:
b7280d02fa6a49079b7d7f0aea6f3867
SHA1 hash:
638ddbe28f40ed4cc05f5a7ca6753fdb19a2f06b
Link:
https://www.unpac.me/results/7de5e552-5439-4d3f-97ba-c98c78992448/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/385527/

Comments