MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a53f2bbe349eb40e02353375416cb15b0723606a9909b33f7930af9c82175fbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LaplasClipper

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	a53f2bbe349eb40e02353375416cb15b0723606a9909b33f7930af9c82175fbf
SHA3-384 hash:	5293b26207988df70446a6df8c15aa5bcca874d8913ea105274c8a80306b427ab81a5ea63235d56321ac041c244cc17c
SHA1 hash:	024f75a412bde9a4e9d039309494d5eeb70c6d0b
MD5 hash:	0a16903d160b9a06cfa61ba8d92692a7
humanhash:	carbon-queen-delta-avocado
File name:	0a16903d160b9a06cfa61ba8d92692a7.exe
Download:	download sample
Signature	LaplasClipper Create hunting rule
File size:	1'963'008 bytes
First seen:	2023-01-15 09:20:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	060d17800c4ce70fe36e9f82e5d5defa (7 x Smoke Loader, 2 x RedLineStealer, 1 x RecordBreaker)
ssdeep	49152:WbGyl3WeDDvAIIMlFqMrA1FW6N6MA1NN9ootW5BBaB3+2:Wv3WuDvAa8MMLW6gMA1X9gXBaBO
Threatray	69 similar samples on MalwareBazaar
TLSH	T16A952312FACBEC25E5250E324945DFF22AB8EC207825599F2378FA6FB9707D06153931
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9a9ececec6c2cec6 (1 x LaplasClipper)
Reporter	abuse_ch
Tags:	exe LaplasClipper

abuse_ch

LaplasClipper C2:
http://45.159.189.105/bot/regex?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0a16903d160b9a06cfa61ba8d92692a7.exe

Verdict:

Malicious activity

Analysis date:

2023-01-15 09:22:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f397a724-5bc8-4e7d-8ac1-49900d5b3c00

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/353050/

Detection(s):

Win.Packed.Stop-9983396-0

Win.Packed.Stop-9983399-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/60406/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed redline smokeloader

Link:

https://www.filescan.io/uploads/63c3c57fc4d5506231127b11/reports/25844772-a6b4-4185-9197-7b7389d5d29b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b67f68fd-9406-43a8-8cac-1a6943bf488d

Result

Threat name:

Laplas Clipper

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1151856

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Laplas Clipper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a53f2bbe349eb40e02353375416cb15b0723606a9909b33f7930af9c82175fbf/

Threat name:

Win32.Trojan.Lockbit

Status:

Malicious

First seen:

2023-01-12 17:23:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 38 (86.84%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uu7sxprut22a4arvgn2uc3frlmdsgydktee3gp3zgcxzzaqxl67q._file

Verdict:

malicious

LaplasClipper

24e9c021c90c80320fefba56577cf00a2d60890c68fc39261ca4b6eaea5051b6

LaplasClipper

77546e4fdc3323633d7ab065dd65e48869799e715015d760424fa43af1c4b3c4

LaplasClipper

7bb10303027c42b4893bc186be547fbd8f0d59a8a8171703c8ad88680831785f

LaplasClipper

bd7b6f6ef2d0adfb9b2e058fc46ad29ff1edffc648f9d7408745916bb8a2f310

LaplasClipper

be607f4670ec8ae8808e6c46603344dcd3d0e58c7e2c7644cf6a360e60f92ce7

LaplasClipper

c91e0e2bdcbfabbe34e3106b1f0efce7635b6a7ec07835fca4d16677feb39ea5

LaplasClipper

dc401554533938f33c0c6cf36246e4fc21dc687d2d3f2925bfa9f7d62a2c5fbe

LaplasClipper

f3c6211ad76333c2c34cf3fb7f028b199edab8330894026c95ebcd1cdec9f2a9

LaplasClipper

+ 59 additional samples on MalwareBazaar

Result

Malware family:

laplas

Score:

10/10

Tags:

family:laplas stealer

Link:

https://tria.ge/reports/230115-lbbehsgf9t/

Behaviour

Creates scheduled task(s)

GoLang User-Agent

Suspicious use of WriteProcessMemory

Executes dropped EXE

Laplas Clipper

Malware Config

C2 Extraction:

45.159.189.105

Unpacked files

SH256 hash:

916e0f5b52545a0c91144e400189a87308e04269b4ed6f54f6456afafa147de1

MD5 hash:

aa896834f985cbce026ffdc12a10a0b6

SHA1 hash:

df965522e74637101abb87b166328e5805dd0a33

Link:

https://www.unpac.me/results/5b1455e5-aa46-449c-a567-9f428da8bc3c/

SH256 hash:

a53f2bbe349eb40e02353375416cb15b0723606a9909b33f7930af9c82175fbf

MD5 hash:

0a16903d160b9a06cfa61ba8d92692a7

SHA1 hash:

024f75a412bde9a4e9d039309494d5eeb70c6d0b

Link:

https://www.unpac.me/results/5b1455e5-aa46-449c-a567-9f428da8bc3c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a53f2bbe349e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a53f2bbe349eb40e02353375416cb15b0723606a9909b33f7930af9c82175fbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	go_binary Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_laplas_clipper_9c96 Create hunting rule
Author:	Johannes Bader
Description:	detects unpacked Laplas Clipper

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/353050/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample