MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ea5061e9ebeb45f7ef962d1566d74fdbfdaf81cfff399d22aeb1605e2501f11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LaplasClipper

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	7ea5061e9ebeb45f7ef962d1566d74fdbfdaf81cfff399d22aeb1605e2501f11
SHA3-384 hash:	c410c9965cfc78cc4cdddd6986837eac17310ac22458167f7596723e498f78c327a6f79c227c0adf90979d2abf503133
SHA1 hash:	1a09f227dd35b01abb2a0318fa4b1dd74349ea13
MD5 hash:	83554c48c989188a5483b8cac98bd4ee
humanhash:	arizona-massachusetts-single-jupiter
File name:	sample.exe
Download:	download sample
Signature	LaplasClipper Create hunting rule
File size:	250'880 bytes
First seen:	2023-03-17 03:12:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4b2faf5e2157c756cf2fd31d6cfd3d44 (4 x Stop, 4 x Smoke Loader, 4 x Rhadamanthys)
ssdeep	6144:VbfmTinRvgDPVY7Rae8Vkpv9qmo3hLhJ:VbfmGnZgJYqVNB9
Threatray	1 similar samples on MalwareBazaar
TLSH	T15434B04393D47C64F5228B719E2FC3F87B1EB4138E796FAB22145A6B08712A2D16F711
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0443511401221201 (1 x LaplasClipper)
Reporter	Chainskilabs
Tags:	exe LaplasClipper

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

sample.exe

Verdict:

Malicious activity

Analysis date:

2023-03-17 03:15:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/43f309c0-250d-438e-88b2-71f7340766ed

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/374936/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Sending a custom TCP request

Creating a process from a recently created file

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending an HTTP GET request to an infection source

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6413dabf3b01ade53e6ed8d2/reports/e3c5f83f-c717-49a6-a155-aad03683125f/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/7ea5061e9ebeb45f7ef962d1566d74fdbfdaf81cfff399d22aeb1605e2501f11

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f0a285c-1d97-4f5e-bcdf-e3ee969d1392

Result

Threat name:

Laplas Clipper

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1195488

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Laplas Clipper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7ea5061e9ebeb45f7ef962d1566d74fdbfdaf81cfff399d22aeb1605e2501f11/

Threat name:

Win32.Trojan.Vidar

Status:

Malicious

First seen:

2023-03-17 03:13:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p2sqmhu6x22f67xzmlivm3lu7w75v6a477zzturk5mlalysqd4iq._file

Verdict:

malicious

LaplasClipper

Result

Malware family:

laplas

Score:

10/10

Tags:

family:laplas clipper persistence stealer

Link:

https://tria.ge/reports/230317-dqq5hsea53/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Laplas Clipper

Malware Config

C2 Extraction:

http://45.159.189.105

Unpacked files

SH256 hash:

dbfa2baa1dfd84d8932061fc19e1a4f521e8bfd08bbde36cf598ae94c0dc4160

MD5 hash:

3e8bb8950fd7ed1899800b56298e87db

SHA1 hash:

4e5f2cfc8ad4b42d995e7784d66aa2d937470aec

Link:

https://www.unpac.me/results/2a22ee44-cc54-4d8f-af2c-b01a59ee17b8/

SH256 hash:

7ea5061e9ebeb45f7ef962d1566d74fdbfdaf81cfff399d22aeb1605e2501f11

MD5 hash:

83554c48c989188a5483b8cac98bd4ee

SHA1 hash:

1a09f227dd35b01abb2a0318fa4b1dd74349ea13

Link:

https://www.unpac.me/results/2a22ee44-cc54-4d8f-af2c-b01a59ee17b8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ea5061e9ebeb45f7ef962d1566d74fdbfdaf81cfff399d22aeb1605e2501f11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com