MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LaplasClipper

Vendor detections: 14

Intelligence 14 IOCs YARA 12 File information Comments

SHA256 hash:	9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5
SHA3-384 hash:	f979e61100e5e5213acdcd58bbce8c323ba1c4f8fe2fba46cf2be69dadb106650b72ebee211500c27ed2e9dd8ff671c5
SHA1 hash:	392bb3736fe7b5e45f808f69097ae422ebc5c018
MD5 hash:	94ce1cdbccb31d0993990d8a5fbd34d8
humanhash:	green-helium-maryland-crazy
File name:	setup.exe
Download:	download sample
Signature	LaplasClipper Create hunting rule
File size:	1'935'360 bytes
First seen:	2023-03-20 11:56:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9c97db954c6eab8dfde4a4fd207d98cc (28 x RedLineStealer, 5 x Amadey, 4 x Stop)
ssdeep	49152:rzmvpQccgreskIaAUgrqgHkrWIF994X5IBYr:rzOJtqgHkVoIB
Threatray	77 similar samples on MalwareBazaar
TLSH	T1C09512039AE27C58F9564B739E2FC2E8330EB795CF9877A63214DA6B04B11A1D173B50
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	80a488a4a088c000 (2 x LaplasClipper)
Reporter	Chainskilabs
Tags:	exe LaplasClipper

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2023-03-20 11:57:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/926ef6c5-54ab-436f-9957-a9706696d9ec

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/375917/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/74267/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64184a0f2fbc9ad18a03064d/reports/d2de125a-8928-4ae2-913c-f034151bc82c/overview

Verdict:

Malicious

Labled as:

Babar.Generic

Link:

https://www.hybrid-analysis.com/sample/9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Aurora Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2145849a-b8ce-4ae7-8350-d905f2673e8d

Result

Threat name:

Laplas Clipper

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1197615

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Laplas Clipper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-03-20 11:57:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t7mpnoo2r2hiixtn66l36ed23kxduxfultsfqgobr7n7xlz7o2sq._file

Verdict:

malicious

LaplasClipper

1629517494047e32a2660297ce222050c869f80f64b3210fa242c047eff6b7dc

LaplasClipper

291003d022e462dc6ece1e0d6cf6a636520060358683596b71623f1c71a539c3

LaplasClipper

683d200bc03f75a371ad5f8e6ce353c36eddca7c3db3cc155852ed675ec627be

LaplasClipper

7c849ca7534ee84e5e769f3f84f6af78121bc4e45b9888d1fdbfedd338b7e606

LaplasClipper

82d011953a7743aef8d380c46177a5c9c9c56e0d9408f47a11eb7443be912e51

LaplasClipper

9178d0152c7511a2f09a96a647508c211ad860780a50a753ed4c22c0fd71ec98

LaplasClipper

c82be6d39f5dfcf23581234b22352895844b5aebb79798b3d6bd1eaf22560925

LaplasClipper

cbd52e865efdcce13184bb8594a5016cc973b2f30e880fc620c60dc0b5986e1c

LaplasClipper

f896fb8727bf4875b091c1e1f8c20c861e8887a751ebc9922d65e8750c4ed2a8

LaplasClipper

+ 67 additional samples on MalwareBazaar

Result

Malware family:

laplas

Score:

10/10

Tags:

family:laplas clipper persistence stealer

Link:

https://tria.ge/reports/230320-n4lgasdd44/

Behaviour

GoLang User-Agent

Suspicious use of WriteProcessMemory

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Laplas Clipper

Malware Config

C2 Extraction:

http://45.87.154.105

Unpacked files

SH256 hash:

75e795f38ba7f689c73a3bb86ef959b5e48958aafbcdc36e582f1f6d7b7139ec

MD5 hash:

23aeddebf2e77375b20b18a801759aab

SHA1 hash:

e6b7560ff5f88a8bc79a66383e8c70cc34ca38a0

Link:

https://www.unpac.me/results/c00ea7da-bf63-44fc-adff-594d65d9c3de/

SH256 hash:

9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5

MD5 hash:

94ce1cdbccb31d0993990d8a5fbd34d8

SHA1 hash:

392bb3736fe7b5e45f808f69097ae422ebc5c018

Link:

https://www.unpac.me/results/c00ea7da-bf63-44fc-adff-594d65d9c3de/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9fd8f6b9da8e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

exe 9fd8f6b9da8e8e845e6df797bf107adaae3a5cb45ce45819c18fdbfbaf3f76a5

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/375917/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample