MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57688ebad140cf112323fd5b1fc4fbe573603f6c4f16e8d8a50d6e1f75100bf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LaplasClipper

Vendor detections: 9

Intelligence 9 IOCs YARA 11 File information Comments

SHA256 hash:	57688ebad140cf112323fd5b1fc4fbe573603f6c4f16e8d8a50d6e1f75100bf8
SHA3-384 hash:	386519679789facf2bd46e1ae695707e82bfcb3c56ee22016450d25941f454b57959c7131c2d36b472bcdbb284f277a0
SHA1 hash:	b0b87a94c42dfafaa913ed3b8ecae5410ec48e8c
MD5 hash:	2de83135f9c732a1563ba36d73444109
humanhash:	fillet-india-cold-freddie
File name:	SecuriteInfo.com.Variant.Lazy.208008.18204.7130
Download:	download sample
Signature	LaplasClipper Create hunting rule
File size:	4'710'400 bytes
First seen:	2023-04-11 10:29:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	98304:GPsyAq0rTgjHLNieY4KejbEJp2s/FrIz+bAKsB5krAwCsqfGKOr:GPMqC+HtTK4Y6wdLyzwChir
Threatray	6 similar samples on MalwareBazaar
TLSH	T13126338E5E31E130EC44B4B0D9E3913C67C9CB0D2A1FDA375A4352928D1B6DFB25672A
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	SecuriteInfoCom
Tags:	exe LaplasClipper

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Lazy.208008.18204.7130

Verdict:

Malicious activity

Analysis date:

2023-04-11 10:46:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fa4e99aa-7032-4487-ab32-34b6f773c8eb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/381416/

Detection(s):

SecuriteInfo.com.Variant.Lazy.208008.18204.7130.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a file in the %AppData% subdirectories

DNS request

Creating a process from a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker packed

Link:

https://www.filescan.io/uploads/643536aef17a8f86fc8c9ae7/reports/9243f1fc-b6a3-467f-9b82-9cd0c80e5886/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/57688ebad140cf112323fd5b1fc4fbe573603f6c4f16e8d8a50d6e1f75100bf8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1e52907d-97a3-4445-a996-67cfd79f0836

Result

Threat name:

Laplas Clipper

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1211679

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Yara detected Laplas Clipper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/57688ebad140cf112323fd5b1fc4fbe573603f6c4f16e8d8a50d6e1f75100bf8/

Threat name:

Win64.Trojan.Lazy

Status:

Malicious

First seen:

2023-04-11 08:43:45 UTC

File Type:

PE+ (Exe)

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k5ui5owridhrcizd7vnr7rh34vzwap3mj4lorwffbvxb65iqbp4a._file

Verdict:

suspicious

LaplasClipper

5a0501d96e313d2df39c38516aef7b5283a4f2979a4377f0f54e110d69de8e40

LaplasClipper

7346cbcf43050e88c5e75cd08656b6da4c4db4c07c72c9888f0cee37a2f21c97

LaplasClipper

94d2ad113de21287251ed4ac1faed0cc6119cb5c3a4734cc7ac6583e01e708f0

LaplasClipper

e3cb48e5a91062c073844676d319598ced84650b3f8a0df01da752b6a585094f

LaplasClipper

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/230411-mjtfqsbh26/

Behaviour

GoLang User-Agent

Suspicious use of WriteProcessMemory

Adds Run key to start application

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

57688ebad140cf112323fd5b1fc4fbe573603f6c4f16e8d8a50d6e1f75100bf8

MD5 hash:

2de83135f9c732a1563ba36d73444109

SHA1 hash:

b0b87a94c42dfafaa913ed3b8ecae5410ec48e8c

Link:

https://www.unpac.me/results/f7444ff0-b288-4d2d-892e-b16db131f116/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/57688ebad140cf112323fd5b1fc4fbe573603f6c4f16e8d8a50d6e1f75100bf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_duffcopy Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

exe 57688ebad140cf112323fd5b1fc4fbe573603f6c4f16e8d8a50d6e1f75100bf8

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2605441/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/381416/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample