MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ff66e5c542bf9785b98f6b8bdfdf89f7fa3030a83ed192458dafe4cf529cf8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ff66e5c542bf9785b98f6b8bdfdf89f7fa3030a83ed192458dafe4cf529cf8b
SHA3-384 hash: 502457a33b3b70edec77a5081af0e4db52ab6bc1861e99ee4a487c353f0b5abdd8cfd7f7c20a9e33da7edb1ccc519875
SHA1 hash: b199dec737800712a1a853c41a805a76fba6c79d
MD5 hash: 8151569e41f959aa4f1b655a64206ece
humanhash: finch-oxygen-massachusetts-oscar
File name:8151569e41f959aa4f1b655a64206ece.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:5'653'504 bytes
First seen:2022-12-20 09:54:16 UTC
Last seen:2022-12-20 11:32:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 06034380a955222fd337fddcf511d417 (2 x LaplasClipper)
ssdeep 98304:DCdHNYjSb/rHH4ps9ias3iDfRit+1X5/S6mZid5Sm3v9QBH7ywUcbA:0HNYjSjrn4pq0iD+mJ/SRZid5SgcuHwA
Threatray 186 similar samples on MalwareBazaar
TLSH T13A4612BC32843258C02EC9744533DD85F1B165AE56B8D6AABBEBB580BB7F450A503F1C
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe LaplasClipper

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8151569e41f959aa4f1b655a64206ece.exe
Verdict:
Malicious activity
Analysis date:
2022-12-20 09:56:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17bdd708-f08d-4583-9d89-a3afab6afea0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348299/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64388130.6377.10462.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1c2ce620-faab-4d75-9fe3-bcf716437225
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1137835
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 770563 Sample: wBA9QJHVFs.exe Startdate: 20/12/2022 Architecture: WINDOWS Score: 92 25 Snort IDS alert for network traffic 2->25 27 Antivirus detection for URL or domain 2->27 29 Yara detected Laplas Clipper 2->29 31 2 other signatures 2->31 7 edgeTaskUpdater.exe 1 2->7         started        10 wBA9QJHVFs.exe 5 2->10         started        process3 signatures4 33 Writes to foreign memory regions 7->33 35 Allocates memory in foreign processes 7->35 37 Tries to detect virtualization through RDTSC time measurements 7->37 39 Injects a PE file into a foreign processes 7->39 12 AppLaunch.exe 7->12         started        15 conhost.exe 7->15         started        41 Uses schtasks.exe or at.exe to add and modify task schedules 10->41 17 schtasks.exe 1 10->17         started        19 conhost.exe 10->19         started        process5 dnsIp6 23 clipper.guru 45.159.189.79, 80 HOSTING-SOLUTIONSUS Netherlands 12->23 21 conhost.exe 17->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ff66e5c542bf9785b98f6b8bdfdf89f7fa3030a83ed192458dafe4cf529cf8b/
Threat name:
Win64.Trojan.Laplasclipper
Create hunting rule
Status:
Malicious
First seen:
2022-12-19 21:23:44 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p73g4xcufp4xqw4y624l37pyt572gaykqpwrsjcy3l7ez5jjz6fq._file
Verdict:
malicious
Similar samples:
1b06b05b3d03c253f9bfa45fd2d02a982a0dcc4290a531ef0786b9d6092b041c
LaplasClipper
237dfa3dc48e011134c0f69943c0e9e8f416f4fbe13ce4d9bd985bfca140a04b
LaplasClipper
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
LaplasClipper
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
LaplasClipper
adc91b86359875df0149a283a6dbf6c11a9d6e4fd494c1340f20b3324571bdda
LaplasClipper
af8890c3a9430938483b741df88f6806b25f6723713f978aaefb4a8989d6aca9
LaplasClipper
d79a379ce1fcbe1e3548dfde37f6c2591f2ebf8de6c0d0db6f282933e529cf53
LaplasClipper
+ 176 additional samples on MalwareBazaar
Result
Malware family:
laplas
Create hunting rule
Score:
  10/10
Tags:
family:laplas stealer
Link:
https://tria.ge/reports/221220-lxskxscd2s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Laplas Clipper
Malware Config
C2 Extraction:
clipper.guru
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0457e53b-aa94-472e-8a4d-47625e648242
Unpacked files
SH256 hash:
7ff66e5c542bf9785b98f6b8bdfdf89f7fa3030a83ed192458dafe4cf529cf8b
MD5 hash:
8151569e41f959aa4f1b655a64206ece
SHA1 hash:
b199dec737800712a1a853c41a805a76fba6c79d
Link:
https://www.unpac.me/results/10b8dbbb-0501-41cd-aaaf-f95c654efb56/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ff66e5c542b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7ff66e5c542bf9785b98f6b8bdfdf89f7fa3030a83ed192458dafe4cf529cf8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

Executable exe 7ff66e5c542bf9785b98f6b8bdfdf89f7fa3030a83ed192458dafe4cf529cf8b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/348299/
  
URLhaus
https://urlhaus.abuse.ch/url/2469977/
  
Delivery method
Distributed via web download

Comments