MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0a070dd3a3fe772359440bce75f73825ea8f16b195e15d91a2fa8c120c32463. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LaplasClipper


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0a070dd3a3fe772359440bce75f73825ea8f16b195e15d91a2fa8c120c32463
SHA3-384 hash: 0851a013563b42e5b24821cb79e5b92ae488612ff6639e0302d23850039e5ef61d476adde006f6bc891f6c115af3d6e9
SHA1 hash: 54ad3bc6bd447a016aba24d3d7adaf0ecac38f75
MD5 hash: 9ac7b60b880d404a156457d7b1dacd05
humanhash: high-berlin-uniform-wisconsin
File name:9ac7b60b880d404a156457d7b1dacd05.exe
Download: download sample
Signature LaplasClipper
Create hunting rule
File size:198'872 bytes
First seen:2022-12-24 08:28:05 UTC
Last seen:2022-12-24 10:32:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e803408cdeefd1e2c4d8dc708f0be4a (1 x Amadey, 1 x LaplasClipper)
ssdeep 3072:Dzo/XnSv5phHM0gXZEi4f9xUPU9nTxog4guKMkDE9rDk:I/XShphFKujf9xEmnTxog4gNEC
Threatray 4 similar samples on MalwareBazaar
TLSH T17C143A486B30C217E2684D79B46B7EE058660C7C6E02C3ABFF58B8467D77BA511731B8
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 63e08e969ee6f823 (4 x LaplasClipper, 3 x SystemBC, 1 x Amadey)
Reporter abuse_ch
Tags:exe LaplasClipper signed

Code Signing Certificate

Organisation:www.blessing.com
Issuer:www.blessing.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-23T14:51:13Z
Valid to:2023-12-23T15:11:13Z
Serial number: 7a72c9995819c792480a34503a2b7934
Thumbprint Algorithm:SHA256
Thumbprint: 2bf6311f3fb9a085f33d2bb9981b469219599e18a7c209a69140337790492121
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ac7b60b880d404a156457d7b1dacd05.exe
Verdict:
Malicious activity
Analysis date:
2022-12-24 08:30:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d613f48-1a08-4ca9-8fe0-4d9e39ef7485

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Lazy.278165.14475.14505.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed systembc
Link:
https://www.filescan.io/uploads/63a6b84f898959f356c5a925/reports/450c28b1-1367-4ae0-842b-db2fd94d7bb9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fa73f62-9e44-4ee6-85a3-bb1582cbac13
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1140370
Signature
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0a070dd3a3fe772359440bce75f73825ea8f16b195e15d91a2fa8c120c32463/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-12-23 23:57:48 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycqhbxj2h7txenmuic6oox3tqjpkr4lldfpblwi2f6umcigderrq._file
Verdict:
malicious
Similar samples:
70c5c7eabc6132a6f083ab2f820592b985aab4b11ac5e46f944586f0e725fea0
LaplasClipper
9bbd2fc484077da329ae3658122614fa1f9f9dfe9e3ebfb982a69d32fc55a66b
LaplasClipper
bb2ab6b864ce12a5df5b90ff291d5f1ef8fe2de529d986cf99ccc6272dd1e576
LaplasClipper
c0053dbee91766d79ea0f3c44e4af3006935f2dd4f0d8d1c596db2a798296a3b
LaplasClipper
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221224-kdj9rsch9w/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
9ff58195f7b70d5be560175ba546103019f625e03a8c98d20369f8c2a5b47179
MD5 hash:
9132b84ec06589f04a7e6c5354b9363d
SHA1 hash:
7565668871580840c76f2c32b8a26d9b4a9605fa
Link:
https://www.unpac.me/results/cb02c78b-7a61-404d-97cc-6880dd383a8d/
SH256 hash:
c0a070dd3a3fe772359440bce75f73825ea8f16b195e15d91a2fa8c120c32463
MD5 hash:
9ac7b60b880d404a156457d7b1dacd05
SHA1 hash:
54ad3bc6bd447a016aba24d3d7adaf0ecac38f75
Link:
https://www.unpac.me/results/cb02c78b-7a61-404d-97cc-6880dd383a8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/c0a070dd3a3fe772359440bce75f73825ea8f16b195e15d91a2fa8c120c32463

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LaplasClipper

Executable exe c0a070dd3a3fe772359440bce75f73825ea8f16b195e15d91a2fa8c120c32463

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2484908/
  
Delivery method
Distributed via web download

Comments