MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LaplasClipper

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1
SHA3-384 hash:	ac98ab35294658f73259e3b9909ce8ff9622b0f886a5e0f20582d557c6cf0316bf62b609711585f0338da8096717ff44
SHA1 hash:	ab564aa0f4b8c1bb4840e5d53cf22bda139a8417
MD5 hash:	354b3a49c2eb26b415dad675be798021
humanhash:	mountain-gee-ohio-enemy
File name:	file
Download:	download sample
Signature	LaplasClipper Create hunting rule
File size:	251'392 bytes
First seen:	2023-03-16 12:39:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1721309e32c361be0bb58c665aa73d12 (3 x Smoke Loader, 2 x RedLineStealer, 2 x LaplasClipper)
ssdeep	6144:bYJs4DXb74q3uYqTKRPRdqZThdIQJeyG:bYiw8guYq2Xahdxe
TLSH	T19734BF0393E17C61F5668E315E2EF2F8B61FF5614E5AEBDA22449B2F08713A1C5623D0
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0025111105130915 (1 x LaplasClipper)
Reporter	jstrosch
Tags:	exe LaplasClipper

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-03-16 12:29:22 UTC

Tags:

loader smoke trojan rat redline stealer amadey opendir aurorastealer evasion

Link:

https://app.any.run/tasks/cd987dab-58b9-4b25-9792-983cf40a1dd7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/374759/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64130e27c3d52e36200e40a7/reports/ed39384d-c14c-4d12-84d4-58d96a590c24/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/81fff087-6acf-4f0b-a2a2-a39fb03f9b62

Result

Threat name:

Laplas Clipper

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1194926

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Laplas Clipper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-03-16 12:40:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y2aim2xub4jnohvdbw6axjgqeezlmth7bayf34hqqj5o277jtxiq._file

Verdict:

malicious

Result

Malware family:

laplas

Score:

10/10

Tags:

family:laplas clipper persistence stealer

Link:

https://tria.ge/reports/230316-pv7tlsda9v/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Laplas Clipper

Malware Config

C2 Extraction:

http://45.159.189.105

Unpacked files

SH256 hash:

dbfa2baa1dfd84d8932061fc19e1a4f521e8bfd08bbde36cf598ae94c0dc4160

MD5 hash:

3e8bb8950fd7ed1899800b56298e87db

SHA1 hash:

4e5f2cfc8ad4b42d995e7784d66aa2d937470aec

Link:

https://www.unpac.me/results/045339f5-13cf-43d9-ae5a-fd9780c5ba11/

SH256 hash:

c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1

MD5 hash:

354b3a49c2eb26b415dad675be798021

SHA1 hash:

ab564aa0f4b8c1bb4840e5d53cf22bda139a8417

Link:

https://www.unpac.me/results/045339f5-13cf-43d9-ae5a-fd9780c5ba11/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com