MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bb3af7379f2bcb345ccd6b2922ff1364dc2eb1c409b067f1e0f605181dd8699. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bb3af7379f2bcb345ccd6b2922ff1364dc2eb1c409b067f1e0f605181dd8699
SHA3-384 hash: 8966b4c6e4f411d45bd05304376cc1284ff67981802e2f0bdf1247efde414af71a84861ffb2e968f15b75da0608ad53f
SHA1 hash: 26d577bbcfcd4af443c65b73032f457a6ad2b72f
MD5 hash: 7c0bf36fcacf5e432d02e6e1f54d8790
humanhash: hydrogen-nebraska-ten-india
File name:7c0bf36fcacf5e432d02e6e1f54d8790
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:830'871 bytes
First seen:2022-11-27 04:13:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9deee1339fdd9dd87c8bd76cb88d8290 (20 x ErbiumStealer, 11 x ArkeiStealer, 2 x LaplasClipper)
ssdeep 24576:hLAt3ieGOGoNOcfLtAz2QFPlePWBoyZIjRN:te/VNLFIAPxqYRN
Threatray 1'040 similar samples on MalwareBazaar
TLSH T189058D24B8159036D3C010F5D23CBFB6666899311BA814FBB3FC597E9B14AC2A736B47
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 exe LaplasClipper

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7c0bf36fcacf5e432d02e6e1f54d8790
Verdict:
Malicious activity
Analysis date:
2022-11-27 04:15:47 UTC
Tags:
opendir loader stealer
Link:
https://app.any.run/tasks/baeaa472-aa47-41b9-a08e-0186a0af0f47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338931/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.25377.13710.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending an HTTP GET request
DNS request
Creating a file
Creating a process from a recently created file
Behavior that indicates a threat
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a file in the %temp% directory
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Launching a process
Searching for the window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
golang greyware overlay shell32.dll
Link:
https://www.filescan.io/uploads/6382e40b151dc20f68a7c6cd/reports/8d4cbd61-3872-41f1-acf8-1ac4926dba09/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/724f4506-1ea0-4b1a-9502-35ad72f3bdb2
Result
Threat name:
Laplas Clipper, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121795
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Laplas Clipper
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754512 Sample: oEZNyJ0T3S.exe Startdate: 27/11/2022 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Antivirus detection for URL or domain 2->56 58 7 other signatures 2->58 8 oEZNyJ0T3S.exe 32 2->8         started        13 FRWxXtyVnj.exe 1 2->13         started        process3 dnsIp4 40 77.73.133.53, 49698, 49702, 80 AS43260TR Kazakhstan 8->40 42 mamamiya137.ru 77.73.133.46, 443, 49697 AS43260TR Kazakhstan 8->42 44 77.73.133.50, 49699, 49703, 80 AS43260TR Kazakhstan 8->44 30 C:\Users\user\Desktop\nueuolpnbgqbfaxu.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\freebl3.dll, PE32 8->34 dropped 36 9 other files (5 malicious) 8->36 dropped 62 Tries to harvest and steal browser information (history, passwords, etc) 8->62 15 nueuolpnbgqbfaxu.exe 2 8->15         started        46 79.137.206.137, 49704, 80 PSKSET-ASRU Russian Federation 13->46 64 Antivirus detection for dropped file 13->64 file5 signatures6 process7 file8 38 C:\Users\user\AppData\...\FRWxXtyVnj.exe, PE32 15->38 dropped 48 Antivirus detection for dropped file 15->48 50 Multi AV Scanner detection for dropped file 15->50 19 cmd.exe 1 15->19         started        22 MpCmdRun.exe 1 15->22         started        signatures9 process10 signatures11 60 Uses schtasks.exe or at.exe to add and modify task schedules 19->60 24 conhost.exe 19->24         started        26 schtasks.exe 1 19->26         started        28 conhost.exe 22->28         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bb3af7379f2bcb345ccd6b2922ff1364dc2eb1c409b067f1e0f605181dd8699/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 18:28:47 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
30 of 41 (73.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=roz2643z6k6lgrom22zjel7rgzg4f2y4icnqm7y6b5qfdao5q2mq._file
Verdict:
malicious
Similar samples:
081efe08a54211147b7fb7f7dafba081da5ca5c0902f741003c4e4374e773869
LaplasClipper
11f2765287664a10a83b56cec5f2c1bf34ff7a7e1721458950d4976d54b21414
LaplasClipper
3a6ff8e3ab8b15036ff5a4e6fcaf4c84d0a122d3f6f2636dc10af77068896f62
LaplasClipper
7dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b
LaplasClipper
80991222b1cf2e863e1e8ac51b6fe90cf0b701df1d8af8c3a9ce9ec10e089f77
LaplasClipper
873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42
LaplasClipper
c3ac86b3dfaed540a466f230e12c3f12c56e10755b6d5d195001ca5523d80fa4
LaplasClipper
d0d72bb86445f46afd1cff56e317543011d1d4a4b6ba18791b63b26a7282af7c
LaplasClipper
faf9fafa302622d32b46956c7ff81da78773366c0e120936a61ceea4c489c5b8
LaplasClipper
+ 1'030 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221127-etm3pshc44/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/27068811-d866-4515-997b-702c793253c8
Unpacked files
SH256 hash:
8bb3af7379f2bcb345ccd6b2922ff1364dc2eb1c409b067f1e0f605181dd8699
MD5 hash:
7c0bf36fcacf5e432d02e6e1f54d8790
SHA1 hash:
26d577bbcfcd4af443c65b73032f457a6ad2b72f
Link:
https://www.unpac.me/results/a734c031-3d10-424d-8137-3e3ebc91c15e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8bb3af7379f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bb3af7379f2bcb345ccd6b2922ff1364dc2eb1c409b067f1e0f605181dd8699

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

Executable exe 8bb3af7379f2bcb345ccd6b2922ff1364dc2eb1c409b067f1e0f605181dd8699

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2434404/
Cape
Cape
https://www.capesandbox.com/analysis/338931/

Comments


Avatar
zbet commented on 2022-11-27 04:13:11 UTC

url : hxxp://77.73.133.50/wifi.exe