MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 11


Intelligence 11 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA3-384 hash: 89f586318f177a6412be93fecc2bea383edde2a3a6e0daf2bb81e30fcd644b8f2ff03dd221c12b19f1baa96a4230b5c7
SHA1 hash: caa3927738b66c3ecc553943eabedcbbfbe4c0da
MD5 hash: b30e29bccabab032c27910210d9ccf76
humanhash: wolfram-vegan-carpet-cat
File name:b30e29bccabab032c27910210d9ccf76.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:4'249'896 bytes
First seen:2023-07-31 07:24:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 79b3362178937bf9559741c46bb9e035 (18 x LaplasClipper, 9 x RaccoonStealer, 8 x ArkeiStealer)
ssdeep 98304:BTq01m8gyX4fG9VNFJgAvUvc7uqBbDKxh4vU:BG0tgyoelMv+FAhwU
Threatray 785 similar samples on MalwareBazaar
TLSH T1521633118E52B507F0B49EF83AAFB872F5E3A79606A0361DC689612FA5041113DA3F5F
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe LaplasClipper signed

Code Signing Certificate

Organisation:Acer Nitro USA AN517-58 [AN517-75-77M3]
Issuer:Acer Nitro USA AN517-58 [AN517-75-77M3]
Algorithm:sha1WithRSAEncryption
Valid from:2023-01-24T11:23:24Z
Valid to:2033-01-25T11:23:24Z
Serial number: 6ec7d0b8d8e8208e4235f4aeedad5927
Intelligence: 11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 47ae7dfa36c5f346d47f223e88ed62090867d2d94f0136a2cede8208132092e3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b30e29bccabab032c27910210d9ccf76.exe
Verdict:
Malicious activity
Analysis date:
2023-07-31 07:27:16 UTC
Tags:
laplasclipper
Link:
https://app.any.run/tasks/c5212922-ba6a-4352-8f3a-36b12ccf7d32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439363/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68441992.31302.30192.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/64c761d279f59a4bdc0d066a/reports/8af1fd71-3ba5-47d4-a806-bdb8383d1c9c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1084de7b-8851-4f77-beaf-d38a51c32ea5
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1282986
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-31 05:03:18 UTC
File Type:
PE+ (Exe)
Extracted files:
85
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3rpe37kqeth3r5ttnhzdeedzdel4x7sgos4hlgknyjttvn3ehra._file
Verdict:
malicious
Similar samples:
2494df92fe8d29c53db5479ceb92a48604bcacf4cafc3ccda97092cffef2b78a
LaplasClipper
40d11f822879f81adc2a95cbf4f88fed9a86901515ffba5af6e3c8e84601e80a
LaplasClipper
43b9908f18f1746055cc87dd678bcce4bf2134a059092a580b8c41653031f6fa
LaplasClipper
46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1
LaplasClipper
4b4c5e3bd2d16feef05e1f2cfcee8e8d31e5fe8e7237e319385b433fe66c6c35
LaplasClipper
58c0d2f945207a56f5baefbb320d7ddbd01089205025de05133db173281e65e2
LaplasClipper
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7
LaplasClipper
77530f67cff4fc2456c0b27abf28d1ab1f4f10fd9be039783adfa25ed1f7f196
LaplasClipper
bf129cec049c6d60b5a2ee6d2b99786e537f13d37a5a8464f0c6c6ef3df64cc3
LaplasClipper
e522454c7fb915cb65e42e67ea9890df5ead1356053e563c43a1603f669c6fa2
LaplasClipper
+ 775 additional samples on MalwareBazaar
Result
Malware family:
laplas
Create hunting rule
Score:
  10/10
Tags:
family:laplas clipper evasion persistence stealer trojan
Link:
https://tria.ge/reports/230731-h8zxlaec3y/
Behaviour
GoLang User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Laplas Clipper
Malware Config
C2 Extraction:
http://lpls.tuktuk.ug
Unpacked files
SH256 hash:
b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
MD5 hash:
b30e29bccabab032c27910210d9ccf76
SHA1 hash:
caa3927738b66c3ecc553943eabedcbbfbe4c0da
Link:
https://www.unpac.me/results/bd0f4545-39f4-4d2c-ae73-4d221f8768f1/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:laplas_golang
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:Laplas Clipper Golang Payload
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

Executable exe b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2679757/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/439363/

Comments