MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a0501d96e313d2df39c38516aef7b5283a4f2979a4377f0f54e110d69de8e40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LaplasClipper

Vendor detections: 10

Intelligence 10 IOCs YARA 9 File information Comments

SHA256 hash:	5a0501d96e313d2df39c38516aef7b5283a4f2979a4377f0f54e110d69de8e40
SHA3-384 hash:	95e4e394645f058f530cf4dce395914f5a7f8fb81eb55961046467080320e4a3a05d5c2488ddb3ab3e37f2847c2a059a
SHA1 hash:	138205f761dd153d83a40935e9d61ea74b664478
MD5 hash:	6ae7c8af8b5d7d38a38661dead883de8
humanhash:	six-oxygen-burger-thirteen
File name:	6ae7c8af8b5d7d38a38661dead883de8.exe
Download:	download sample
Signature	LaplasClipper Create hunting rule
File size:	10'485'760 bytes
First seen:	2023-02-23 03:00:28 UTC
Last seen:	2023-02-23 04:27:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8644c121c872427eb396f62148006088 (1 x LaplasClipper)
ssdeep	196608:vv6fpeoEnI1ZIp2lHxVKFEUxRxCSZI4i3hDqkz4d7QHyiLuadP2wN/tfIKSxN6/g:vvOfZU2XUzoSZI4iMkcdqricP2whR8Nb
Threatray	824 similar samples on MalwareBazaar
TLSH	T158B6332BC0AB5E83CAB4C2F1EB78C5C8162F65AB155A88EFB55FD13409712839FC7584
File icon (PE):
dhash icon	e090a1909c9a9a8c (1 x LaplasClipper)
Reporter	abuse_ch
Tags:	exe LaplasClipper

abuse_ch

LaplasClipper C2:
http://45.153.184.112/bot/regex

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6ae7c8af8b5d7d38a38661dead883de8.exe

Verdict:

Malicious activity

Analysis date:

2023-02-23 03:03:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e483d11c-7e48-438c-a760-e27886a0314a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/369152/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.6153.13005.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker gomal greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63f6d6ef01b99ad33e82c458/reports/a4a9ab65-3f10-4fcf-8827-95d7b2694882/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/5a0501d96e313d2df39c38516aef7b5283a4f2979a4377f0f54e110d69de8e40

Result

Verdict:

MALICIOUS

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fb7aa985-91d2-4b0e-8b07-4d3bceb16d08

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1181034

Signature

Contains functionality to detect virtual machines (IN, VMware)

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a0501d96e313d2df39c38516aef7b5283a4f2979a4377f0f54e110d69de8e40/

Threat name:

Win64.Trojan.ClipBanker

Status:

Malicious

First seen:

2023-02-20 03:24:04 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 39 (41.03%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=licqdwloge6s3444hbiwv333kkb2j4uxtjbxp4hvjyiq22o6rzaa._file

Verdict:

malicious

LaplasClipper

4c5df62f8def903996e0ef87669e1f66f24c1c922d1281f7eb83a91373d6dba9

LaplasClipper

8ac5c11ba9b64658cf080e1d05cbb594fdd4cdaef46db4da24a5a5d809bb50e6

LaplasClipper

a08decf9a9fd94df4e235da6bc1e8bb7444984de5f9016033f2aa89d690bb9b9

LaplasClipper

a7cedf03ed3d9bd778d99dec68f8e1e6653021b527bce475e88060127940e2d0

LaplasClipper

c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7

LaplasClipper

c515446567eb17bbcfcef6bf1a4ed436674df485b5b77b877ab83ac157b60808

LaplasClipper

e8e2c3c6d6db55f6c80fbf0b272933428bc5fe62a52732bf6c38aefe40894f88

LaplasClipper

f108dd568dcb4f08c5986c31eaac74e41cb59bc69db87d17a1033016308beed5

LaplasClipper

fc52bdc35a10badcd4f88cd91d0c071bc05520c78097501f5f23fd5114e15e64

LaplasClipper

+ 814 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/230223-dhwd9see53/

Behaviour

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

5a0501d96e313d2df39c38516aef7b5283a4f2979a4377f0f54e110d69de8e40

MD5 hash:

6ae7c8af8b5d7d38a38661dead883de8

SHA1 hash:

138205f761dd153d83a40935e9d61ea74b664478

Link:

https://www.unpac.me/results/83671b37-bf57-47d9-aa4a-7ec382201412/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/5a0501d96e313d2df39c38516aef7b5283a4f2979a4377f0f54e110d69de8e40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/369152/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample