MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
SHA3-384 hash: 7f18801262cec8e9d8bf9edc95c183b44663bcbbdfa2b254671b66e47ef9bdf9afa2d07b9d2ec0a936214a293a8ba4aa
SHA1 hash: 8c7c1efd47044f1d31cee78ea6c73df1a9296dea
MD5 hash: fe2457d4da43adde492576a91398086e
humanhash: speaker-ack-saturn-uranus
File name:fe2457d4da43adde492576a91398086e
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:9'068'032 bytes
First seen:2023-03-21 18:38:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:pKnK6YN8UMtKNKogIHvueIxgfSZJxUu3INODRUgeCseICR7NWm8qpHakXvLQh0/o:on1YN8dKNcJxtISeCrXv0W/qpDRX5L
Threatray 126 similar samples on MalwareBazaar
TLSH T15F965C52F99777B1D90218303132737F1B20DF394B24CA9BC9507EA9EB72BA214365E9
gimphash 58592647cba28de5eed2023dd11efb011e3ee2aba950d4a6e22a4b0218e6b443
TrID 54.8% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
20.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.6% (.SCR) Windows screen saver (13097/50/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter abuse_ch
Tags:exe fe2457d4da43adde492576a91398086e LaplasClipper

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
fe2457d4da43adde492576a91398086e
Verdict:
Malicious activity
Analysis date:
2023-03-21 18:41:15 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/f1073d6e-7318-4572-be10-8750382a647c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd.exe golang greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/6419f9c8109d4db51669fa2c/reports/61c3c36d-375d-4d7c-8f65-2152f031be36/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
Result
Verdict:
MALICIOUS
Malware family:
Titan Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6507e594-263b-42d7-a7d9-cd622033d622
Result
Threat name:
MinerDownloader, Laplas Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198817
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 831722 Sample: c8CgkorKWH.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 84 pastebin.com 2->84 100 Snort IDS alert for network traffic 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus detection for URL or domain 2->104 106 16 other signatures 2->106 13 c8CgkorKWH.exe 4 2->13         started        16 ntlhost.exe 2->16         started        signatures3 process4 file5 80 C:\Users\user\AppData\Roaming\...\c1.exe, PE32 13->80 dropped 82 C:\Users\user\AppData\...\Shelds32.exe, PE32 13->82 dropped 18 Shelds32.exe 4 13->18         started        22 c1.exe 1 2 13->22         started        process6 file7 68 C:\Users\user\AppData\Roaming\...\m1.exe, PE32 18->68 dropped 70 C:\Users\user\AppData\Roaming\...\f1.exe, PE32 18->70 dropped 108 Antivirus detection for dropped file 18->108 110 Multi AV Scanner detection for dropped file 18->110 112 Machine Learning detection for dropped file 18->112 24 m1.exe 18->24         started        27 f1.exe 18->27         started        72 C:\Users\user\AppData\Roaming\...\ntlhost.exe, PE32 22->72 dropped 29 ntlhost.exe 22->29         started        signatures8 process9 signatures10 116 Multi AV Scanner detection for dropped file 24->116 118 Machine Learning detection for dropped file 24->118 120 Writes to foreign memory regions 24->120 31 RegSvcs.exe 24->31         started        34 WerFault.exe 24->34         started        122 Allocates memory in foreign processes 27->122 124 Injects a PE file into a foreign processes 27->124 36 RegSvcs.exe 14 5 27->36         started        39 WerFault.exe 20 9 27->39         started        126 Antivirus detection for dropped file 29->126 process11 dnsIp12 130 Writes to foreign memory regions 31->130 132 Injects a PE file into a foreign processes 31->132 41 AppLaunch.exe 31->41         started        46 conhost.exe 31->46         started        86 91.193.43.63, 49695, 81 ITFPL Belgium 36->86 88 api.ip.sb 36->88 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->134 136 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->136 138 Tries to harvest and steal browser information (history, passwords, etc) 36->138 140 Tries to steal Crypto Currency Wallets 36->140 signatures13 process14 dnsIp15 90 github.com 140.82.121.4, 443, 49688, 49689 GITHUBUS United States 41->90 92 raw.githubusercontent.com 185.199.108.133, 443, 49690, 49692 FASTLYUS Netherlands 41->92 94 pastebin.com 172.67.34.170, 443, 49687 CLOUDFLARENETUS United States 41->94 74 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 41->74 dropped 76 C:\ProgramData\Dllhost\dllhost.exe, PE32 41->76 dropped 78 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 41->78 dropped 128 Sample is not signed and drops a device driver 41->128 48 cmd.exe 41->48         started        51 cmd.exe 41->51         started        53 cmd.exe 41->53         started        file16 signatures17 process18 signatures19 96 Encrypted powershell cmdline option found 48->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 48->98 55 powershell.exe 48->55         started        58 conhost.exe 48->58         started        60 conhost.exe 51->60         started        62 schtasks.exe 51->62         started        64 conhost.exe 53->64         started        process20 signatures21 114 Query firmware table information (likely to detect VMs) 55->114 66 wermgr.exe 55->66         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 18:39:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qks5hawdwt7c4f7qtlzw34qpdzj3xc3rfstppl42cwdbwohzd4sa._file
Verdict:
malicious
Similar samples:
0ed511322e4229b80c693f44bddfc44a351b3986d7fd14026ffd1f41962d734d
LaplasClipper
1587857ad744c322a2b32731cdd48d98eac13f8aa8ff2f2afb01ebba88d15359
LaplasClipper
2297b0cced9fde691e8f430d0198f76227b3e617658a6119753d942f9677f589
LaplasClipper
291003d022e462dc6ece1e0d6cf6a636520060358683596b71623f1c71a539c3
LaplasClipper
57969c17dec58c9fa8fd79b063900cac9d4e91fc96105c7a185cab010a9893b2
LaplasClipper
58b415a4211b4ab0714cb45cfc92cc793c3f6ad8b1413c5f8320cfc77b5d2868
LaplasClipper
82d011953a7743aef8d380c46177a5c9c9c56e0d9408f47a11eb7443be912e51
LaplasClipper
9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5
LaplasClipper
c82be6d39f5dfcf23581234b22352895844b5aebb79798b3d6bd1eaf22560925
LaplasClipper
f896fb8727bf4875b091c1e1f8c20c861e8887a751ebc9922d65e8750c4ed2a8
LaplasClipper
+ 116 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:laplas family:redline botnet:fm clipper infostealer stealer
Link:
https://tria.ge/reports/230321-xal1eace55/
Behaviour
GoLang User-Agent
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Laplas Clipper
RedLine
Malware Config
C2 Extraction:
http://79.137.199.252
91.193.43.63:81
Unpacked files
SH256 hash:
4898b1b6f555a8d1bff04cd681fdd92c2cc9c23e2954cf6296db8a3f3403e15d
MD5 hash:
3120b6d793ace555ccefbe71d35801ca
SHA1 hash:
650019a9c3efc9886c39ee3f38395fe6eddc000f
Link:
https://www.unpac.me/results/3c6c21fd-bbd9-46f9-b3c7-26b910c625c5/
SH256 hash:
f56cab37d108cedc25eb996955e1090181f8331a2f07506f2f9e35c3fb55c5c1
MD5 hash:
ba118f23ab57247ffb8aa852b748babc
SHA1 hash:
c3df36f696b0321a2c3d502a7a51b22c4e0649b3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3c6c21fd-bbd9-46f9-b3c7-26b910c625c5/
Parent samples :
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
6f17df45dd876aaedc0551c4acd7f22d26195fecff94c86aa38f68a823e4ed1b
f569190bd616be12793f40be4e0410daceee75eda14748e5816fef2544faefc2
SH256 hash:
4b7b83c99991371b9756ff91ec07abfbbc1c0cc17caf422e6ecd062f2d84cf9a
MD5 hash:
0a0b3aacdc321a1612d01e285993250b
SHA1 hash:
802205c8d1e0a1b6d203815df513fabb4948ad8c
Link:
https://www.unpac.me/results/3c6c21fd-bbd9-46f9-b3c7-26b910c625c5/
SH256 hash:
4894ddc3957792eaf0fcb1e54b9e85b6596de6148a75a8973d871c0a57bb5c61
MD5 hash:
b50bde1410b57969a8efe359e38bf92c
SHA1 hash:
5d96d9ebd8a4d0dc6648c779ab657c8f1e8d8936
Link:
https://www.unpac.me/results/3c6c21fd-bbd9-46f9-b3c7-26b910c625c5/
SH256 hash:
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
MD5 hash:
fe2457d4da43adde492576a91398086e
SHA1 hash:
8c7c1efd47044f1d31cee78ea6c73df1a9296dea
Link:
https://www.unpac.me/results/3c6c21fd-bbd9-46f9-b3c7-26b910c625c5/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82a5d382c3b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments